[openstack-dev] [Keystone] internalURL and adminURL of endpoints should not be visible to ordinary user
Duncan Thomas
duncan.thomas at gmail.com
Sun Nov 30 09:46:51 UTC 2014
The internal URL is used for more than just admin actions, and admin is no
longer a global flag, so this restriction is not suitable.
Duncan Thomas
On Nov 29, 2014 6:08 AM, "joehuang" <joehuang at huawei.com> wrote:
> Hello,
>
> if an ordinary user sent a get-token request to KeyStone, internalURL and
> adminURL of endpoints will also be returned. It'll expose the internal high
> privilege access address and some internal network topology information to
> the ordinary user, and leads to the risk for malicious user to attack or
> hijack the system.
>
> the request to get token for ordinary user:
> curl -d '{"auth":{"passwordCredentials":{"username": "huawei", "password":
> "2014"},"tenantName":"huawei"}}' -H "Content-type: application/json"
> http://localhost:5000/v2.0/tokens
>
> the response will include internalURL and adminURL of endpoints:
> {"access": {"token": {"issued_at": "2014-11-27T02:30:59.218772",
> "expires": "2014-11-27T03:30:59Z", "id":
> "b8684d2b68ab49d5988da9197f38a878", "tenant": {"description": "normal
> Tenant", "enabled": true, "id": "7ed3351cd58349659f0bfae002f76a77", "name":
> "huawei"}, "audit_ids": ["Ejn3BtaBTWSNtlj7beE9bQ"]}, "serviceCatalog":
> [{"endpoints": [{"adminURL": "
> http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77", "region":
> "regionOne", "internalURL": "
> http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77", "id":
> "170a3ae617a1462c81bffcbc658b7746", "publicURL": "
> http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77"}],
> "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints":
> [{"adminURL": "http://10.67.148.27:9696", "region": "regionOne",
> "internalURL": "http://10.67.148.27:9696", "id":
> "7c0f28aa4710438bbd84fd25dbe4daa6", "publicURL": "http://10.67.148.27:9696"}],
> "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints":
> [{"adminURL": "http://10.67.148.27:9292", "region": "regionOne",
> "internalURL": "http://10.67.148.27:9292", "id":
> "576f41fc8ef14b4f90e516bb45897491", "publicURL": "http://10.67.148.27:9292"}],
> "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints":
> [{"adminURL": "http://10.67.148.27:8777", "region": "regionOne",
> "internalURL": "http://10.67.148.27:8777", "id":
> "77d464e146f242aca3c50e10b6cfdaa0", "publicURL": "http://10.67.148.27:8777"}],
> "endpoints_links": [], "type": "metering", "name": "ceilometer"},
> {"endpoints": [{"adminURL": "http://10.67.148.27:6385", "region":
> "regionOne", "internalURL": "http://10.67.148.27:6385", "id":
> "1b8177826e0c426fa73e5519c8386589", "publicURL": "http://10.67.148.27:6385"}],
> "endpoints_links": [], "type": "baremetal", "name": "ironic"},
> {"endpoints": [{"adminURL": "http://10.67.148.27:35357/v2.0", "region":
> "regionOne", "internalURL": "http://10.67.148.27:5000/v2.0", "id":
> "435ae249fd2a427089cb4bf2e6c0b8e9", "publicURL": "
> http://10.67.148.27:5000/v2.0"}], "endpoints_links": [], "type":
> "identity", "name": "keystone"}], "user": {"username": "huawei",
> "roles_links": [], "id": "a88a40a635334e5da2ac3523d9780ed3", "roles":
> [{"name": "_member_"}], "name": "huawei"}, "metadata": {"is_admin": 0,
> "roles": ["73b0a1ac6b0c48cb90205c53f2b9e48d"]}}}
>
> At least, the internalURL and adminURL of endpoints should not be returned
> to ordinary users, only if the admin configured the policy to allow
> ordinary user has the right to see it.
>
> Best Regards
> Chaoyi Huang ( Joe Huang )
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141130/b7ae1341/attachment.html>
More information about the OpenStack-dev
mailing list