[Openstack-security] [Bug 1376915] Re: Access to sensitive audit data is not properly restricted
Eoghan Glynn
1376915 at bugs.launchpad.net
Mon Feb 2 14:03:34 UTC 2015
** Changed in: ceilometer
Milestone: kilo-2 => kilo-3
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1376915
Title:
Access to sensitive audit data is not properly restricted
Status in OpenStack Telemetry (Ceilometer):
In Progress
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Audit data stored in http.request and http.response meters is not
being adequately protected. Admins are allowed to access audit data
for all projects rather than just their own. Non-admins are allowed to
access audit data for all users within their project rather than just
themselves. A non-admin user should not be able to see what other
users are doing, and being an admin in project A does not make you an
admin in project B.
The following blueprints acknowledge the lack of this support. To
quote one: "as ceilometer collects more and more different types of
data... some of the data collected may be 'privileged' data that only
admins should have access to regardless of membership to a tenant (ie.
audit data should only be visible to admins)". That day has come, and
the implementation of these blueprints is still missing. At this point
there is a security hole here (data exposure) which needs to be
plugged immediately, either with the implementation of one of these
blueprints (which should probably be merged together) or by a less
flexible but more easily implemented stopgap measure. Given time
constraints and the urgency of closing this hole, I propose the
latter, though the blueprints will obviously still be necessary for a
more robust and complete solution.
https://blueprints.launchpad.net/ceilometer/+spec/advanced-policy-rule
and https://blueprints.launchpad.net/ceilometer/+spec/admin-only-api-
access and https://blueprints.launchpad.net/ceilometer/+spec/ready-
ceilometer-rbac-keystone-v3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1376915/+subscriptions
More information about the Openstack-security
mailing list