[Openstack-security] [Bug 1684320] Re: Domain admin has access to service Admin API with policy.v3cloudsample.json

Jeremy Stanley fungi at yuggoth.org
Wed Aug 16 15:44:44 UTC 2017 

Okay, so somewhere between the aforementioned B2 ("A vulnerability
without a complete fix yet...") and B1 ("A vulnerability that can only
be fixed in master, security note for stable branches, e.g., default
config value is insecure"). I'll go ahead and mark our advisory task
"won't fix" and let the OSSN editors decide how and when they might want
to write this up as a note.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1684320

Title:
  Domain admin has access to service Admin API with
  policy.v3cloudsample.json

Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Keystone has a sample policy file to create a concept of domains per
  customer, with a domain admin that manages users and tenants inside
  that domain.

  https://github.com/openstack/keystone/commits/master/etc/policy.v3cloudsample.json

  In this policy, the domain admin role (a user who manages that domain)
  would get the "admin" role assigned to them.  However, with the
  "admin" role assigned to them, they can make requests to the admin_api
  (in this case, the Nova example).

  https://github.com/openstack/nova/blob/master/nova/policies/base.py#L18-L28

  I have done a fair bit of checking but I believe that a domain admin
  can get full access to the admin_api (or be able to create a user with
  an "admin" role and get access to the entire cloud).  I believe this
  affects all other projects and users of this policy would not be aware
  at the level of access given to a domain admin.

  Perhaps the file can be revised to use a role like "domain_admin" and
  Keystone would have a setting of "reserved role names" which cannot be
  used (e.g. block the role "admin" from being created in a domain).

  Please forgive me in advance if this is not a security issue and a
  lack of understanding (I hope it is), but I have done a fair amount of
  research on this so far and it seems like getting access to that
  `admin` role is an issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1684320/+subscriptions

More information about the Openstack-security mailing list