[Openstack-security] [Bug 1493448] Re: All operations are perfomed with admin priveleges when 'use_user_token' is False
Ian Cordasco
ian.cordasco at rackspace.com
Tue Oct 20 19:20:39 UTC 2015
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
In glance-api.conf we have a param called 'use_user_token' which is
enabled by default. It was introduced to allow for reauthentication when
tokens expire and prevents requests from silently failing.
https://review.openstack.org/#/c/29967/
Unfortunately disabling this parameter leads to security issues and
allows a regular user to perform any operation with admin rights.
Steps to reproduce on devstack:
1. Change /etc/glance/glance-api.conf parameters and restart glance-api:
# Pass the user's token through for API requests to the registry.
# Default: True
use_user_token = False
# If 'use_user_token' is not in effect then admin credentials
# can be specified. Requests to the registry on behalf of
# the API will use these credentials.
# Admin user name
admin_user = glance
# Admin password
admin_password = nova
# Admin tenant name
admin_tenant_name = service
# Keystone endpoint
auth_url = http://127.0.0.1:5000/v2.0
(for v2 api it's required to enable registry service, too: data_api =
glance.db.registry.api)
2. Create a private image with admin user:
source openrc admin admin
glance --os-image-api-version 1 image-create --name private --is-public False --disk-format qcow2 --container-format bare --file /etc/fstab
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | e533283e6aac072533d1d091a7d2e413 |
| container_format | bare |
| created_at | 2015-09-01T22:17:25.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4dfaaece11b623f3c680 |
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-01T22:17:27.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
3. Check the image list with admin user:
glance --os-image-api-version 1 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec | ami | ami | 25165824 | active |
| c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel | aki | aki | 4979632 | active |
| de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari | ari | 3740163 | active |
| e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private | qcow2 | bare | 616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
4. Enable demo user and get the image list:
source openrc demo demo
glance --os-image-api-version 1 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec | ami | ami | 25165824 | active |
| c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel | aki | aki | 4979632 | active |
| de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari | ari | 3740163 | active |
| e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private | qcow2 | bare | 616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
5. Try to get access to admin's private image with demo user:
glance --os-image-api-version 1 image-show private
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | e533283e6aac072533d1d091a7d2e413 |
| container_format | bare |
| created_at | 2015-09-01T22:17:25.000000 |
| deleted | False |
| disk_format | qcow2 |
| id | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4dfaaece11b623f3c680 |
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-01T22:17:27.000000 |
+------------------+--------------------------------------+
The same happens when demo user wants to create/update/delete any image.
v2 with enabled registry backend is affected too.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1493448
Title:
All operations are perfomed with admin priveleges when
'use_user_token' is False
Status in Glance:
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
In glance-api.conf we have a param called 'use_user_token' which is
enabled by default. It was introduced to allow for reauthentication
when tokens expire and prevents requests from silently failing.
https://review.openstack.org/#/c/29967/
Unfortunately disabling this parameter leads to security issues and
allows a regular user to perform any operation with admin rights.
Steps to reproduce on devstack:
1. Change /etc/glance/glance-api.conf parameters and restart glance-api:
# Pass the user's token through for API requests to the registry.
# Default: True
use_user_token = False
# If 'use_user_token' is not in effect then admin credentials
# can be specified. Requests to the registry on behalf of
# the API will use these credentials.
# Admin user name
admin_user = glance
# Admin password
admin_password = nova
# Admin tenant name
admin_tenant_name = service
# Keystone endpoint
auth_url = http://127.0.0.1:5000/v2.0
(for v2 api it's required to enable registry service, too: data_api =
glance.db.registry.api)
2. Create a private image with admin user:
source openrc admin admin
glance --os-image-api-version 1 image-create --name private --is-public False --disk-format qcow2 --container-format bare --file /etc/fstab
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | e533283e6aac072533d1d091a7d2e413 |
| container_format | bare |
| created_at | 2015-09-01T22:17:25.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4dfaaece11b623f3c680 |
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-01T22:17:27.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
3. Check the image list with admin user:
glance --os-image-api-version 1 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec | ami | ami | 25165824 | active |
| c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel | aki | aki | 4979632 | active |
| de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari | ari | 3740163 | active |
| e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private | qcow2 | bare | 616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
4. Enable demo user and get the image list:
source openrc demo demo
glance --os-image-api-version 1 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec | ami | ami | 25165824 | active |
| c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel | aki | aki | 4979632 | active |
| de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari | ari | 3740163 | active |
| e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private | qcow2 | bare | 616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
5. Try to get access to admin's private image with demo user:
glance --os-image-api-version 1 image-show private
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | e533283e6aac072533d1d091a7d2e413 |
| container_format | bare |
| created_at | 2015-09-01T22:17:25.000000 |
| deleted | False |
| disk_format | qcow2 |
| id | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4dfaaece11b623f3c680 |
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-01T22:17:27.000000 |
+------------------+--------------------------------------+
The same happens when demo user wants to create/update/delete any
image. v2 with enabled registry backend is affected too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1493448/+subscriptions
More information about the Openstack-security
mailing list