[Openstack-security] [Bug 1842930] Re: Deleted user still can delete volumes in Horizon

Akihiro Motoki 1842930 at bugs.launchpad.net
Thu Sep 19 15:12:40 UTC 2019 

> Thank you for pointing the SESSION_TIMEOUT option. I was looking
through Horizon options to mitigate this problem and thought about using
it.

For more detail, there are two options involved in horizon.
- SESSION_TIMEOUT
- SESSION_REFRESH
If SESSION_REFRESH is set to True (current default), a shorter SESSION_TIMEOUT would not matter for most cases.

> So is the default keystonemiddleware cache expiration time in such
deployment equals to 300 sec? Although I can look up token's expiration
time, issuing "openstack token issue" command.

The default value is defined here [1].
You can test the timeout of keystonemiddlware cache using curl.
[2] is an example in my devstack environment. L.39-49 retrieves a token before the user is deleted and tests it works. L.81 confirms the token is still valid just after the user is deleted. I confirmed the curl command failed with auth error a couple of minuites later (though the paste does not cover it). You can try the similar.

[1] https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_opts.py#L107-L112
[2] http://paste.openstack.org/show/777693/

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1842930

Title:
  Deleted user still can delete volumes in Horizon

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  ==Problem==
  User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.

  ==Steps to reproduce==
  Install OpenStack following official docs for Stein.
  Login as admin to (Horizon) in one browser.
  Create a user with role 'member' and assign it to a project.
  Open another browser and login as created user.
  As admin user delete created user from "first" browser.
  Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.

  ==Expected result==
  User session in current browser is closed after user is deleted in another browser.
  I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).

  ==Environment==
  OpenStack Stein
  rpm -qa | grep -i stein
  centos-release-openstack-stein-1-1.el7.centos.noarch

  cat /etc/redhat-release
  CentOS Linux release 7.6.1810 (Core)

   rpm -qa | grep -i horizon
  python2-django-horizon-15.1.0-1.el7.noarch

  rpm -qa | grep -i dashboard
  openstack-dashboard-15.1.0-1.el7.noarch
  openstack-dashboard-theme-15.1.0-1.el7.noarch

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1842930/+subscriptions

More information about the Openstack-security mailing list