[Openstack-security] [Bug 1376915] Change abandoned on ceilometer (master)

OpenStack Infra 1376915 at bugs.launchpad.net
Thu Sep 10 19:57:45 UTC 2015 

Change abandoned by Matthew Edmonds (edmondsw at us.ibm.com) on branch: master
Review: https://review.openstack.org/132097
Reason: pycadf.middleware.audit was deprecated/removed in favor of keystonemiddleware.audit. The later uses events rather than meters, where this is no longer relevant.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1376915

Title:
  Access to sensitive audit data is not properly restricted

Status in Ceilometer:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Audit data stored in http.request and http.response meters is not
  being adequately protected. Admins are allowed to access audit data
  for all projects rather than just their own. Non-admins are allowed to
  access audit data for all users within their project rather than just
  themselves. A non-admin user should not be able to see what other
  users are doing, and being an admin in project A does not make you an
  admin in project B.

  The following blueprints acknowledge the lack of this support. To
  quote one: "as ceilometer collects more and more different types of
  data... some of the data collected may be 'privileged' data that only
  admins should have access to regardless of membership to a tenant (ie.
  audit data should only be visible to admins)". That day has come, and
  the implementation of these blueprints is still missing. At this point
  there is a security hole here (data exposure) which needs to be
  plugged immediately, either with the implementation of one of these
  blueprints (which should probably be merged together) or by a less
  flexible but more easily implemented stopgap measure. Given time
  constraints and the urgency of closing this hole, I propose the
  latter, though the blueprints will obviously still be necessary for a
  more robust and complete solution.

  https://blueprints.launchpad.net/ceilometer/+spec/advanced-policy-rule
  and https://blueprints.launchpad.net/ceilometer/+spec/admin-only-api-
  access and https://blueprints.launchpad.net/ceilometer/+spec/ready-
  ceilometer-rbac-keystone-v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1376915/+subscriptions

More information about the Openstack-security mailing list