[Openstack-security] [Bug 1464750] Re: Service accounts can be used to login horizon
Adam Young
1464750 at bugs.launchpad.net
Wed Oct 25 19:53:44 UTC 2017
Would probably make sense to have a WebUser role that Member inherits.
If a user has WebUser, they can log in to the ui, if they don't they
can't. Horizon should not look for the absence of a role as a way to
control UI.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1464750
Title:
Service accounts can be used to login horizon
Status in OpenStack Dashboard (Horizon):
Opinion
Status in OpenStack Compute (nova):
Invalid
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
This is not a bug and may / may not be a security issue ... but it
appears that the service account created in keystone are of the same
privileges level as any other admin accounts created through keystone
and I don't like that.
Would it be possible to implement something that would distinguish
user accounts from service accounts? Is there a way to isolate some
service accounts from the remaining of the openstack APIs?
One kick example on this is that any service accounts have admin
privileges on all the other services . At this point, I'm trying to
figure out why are we creating a distinct service account for each
service if nothing isolate them.
IE:
glance account can spawn a VM
cinder account can delete an image
heat account can delete a volume
nova account can create an image
All of these service accounts have access to the horizon dashboard. One small hack could be to prevent those accounts from logging in Horizon.
Thanks,
Dave
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1464750/+subscriptions
More information about the Openstack-security
mailing list