[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!

Martinx - ジェームズ thiagocmartinsc at gmail.com
Mon Dec 23 20:09:08 UTC 2013 

Okay, I got it...

"Tenant B / Project B", have only 1 member, and it is NOT the user from
"Tenant A".

But, as I said, the user from "Tenant A", is seeing the VNC consoles of
Tenant B VMs anyway, I'm sure this is a security breach.

Cheers!
Thiago

On 23 December 2013 17:56, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:

> Hi!
>
>
> On 23 December 2013 16:53, gustavo panizzo <gfa> <gfa at zumbi.com.ar> wrote:
>
>> is the user member of the two tenants?
>>
>
> No. "Tenant B" have only, and only one user. I never created a user that
> belongs to more than 1 tenant, my cloud is very simple and small. And
> "Tenant A" user is a member of its own Project, not two.
>
> Only my "Tenant C", have *two users* but, no user belongs to two
> tenants. I'm quite sure about this.
>
> Anyway, you made me a interesting question, how can I see the that? I
> mean, is there a command option to list all the tenants that a user is
> member of? I can see the keystone options like "user-role-list", or
> "tenant-get" but, I can't find a option to list the tenants that a user is
> a member of. Tips?!
>
> Tks!
>
>
>>  "Martinx - ジェームズ" <thiagocmartinsc at gmail.com> wrote:
>>
>>>  Stackers!
>>>
>>> I need a bit help here...
>>>
>>> My OpenStack Havana (Ubuntu 12.04.3) was working smoothly and, I don't
>>> know what had happened here but, now, I'm seeing some weird problems.
>>>
>>> Right now, the "Tenant A" is seeing the VNC Consoles of "Tenant B" !!!
>>>
>>> How is that even possible?! There is no authentication here to deal with
>>> this kind of things!? I'm really worried about this.
>>>
>>> Look:
>>>
>>> "Tenant A" Instances:
>>>
>>> [image: Inline images 1]
>>>
>>>
>>> "Tenant A" accessing the VNC Console of a "Tenant B" Instance!!!
>>>
>>> [image: Inline images 2]
>>>
>>>
>>> This is a very serious problem, since I'm giving to the "Tenant A",
>>> almost total access to "Tenant B" Instances!! This kind of situation should
>>> NEVER occur!
>>>
>>> What can I do to completely block this?
>>>
>>> I just started a new Instance for "Tenant A", and I'm seeing ANOTHER VNC
>>> Console from "Tenant B"!!
>>>
>>> Regards,
>>> Thiago
>>>
>>> ------------------------------
>>>
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>>
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>>
>> --
>> 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131223/92ed1f09/attachment.html>

More information about the Openstack mailing list