[Openstack-security] [Bug 1493448] Related fix merged to glance (master)
OpenStack Infra
1493448 at bugs.launchpad.net
Mon Mar 7 19:31:19 UTC 2016
Reviewed: https://review.openstack.org/237742
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=80fef06497c2a1f2e5c7bae4a0e04ab426ec70f7
Submitter: Jenkins
Branch: master
commit 80fef06497c2a1f2e5c7bae4a0e04ab426ec70f7
Author: Mike Fedosin <mfedosin at mirantis.com>
Date: Fri Feb 12 19:43:13 2016 +0300
Deprecate use_user_token parameter
Parameter 'use_user_token' in glance-api.conf
was considered as harmful and not acceptable
for real deployments, because if it's disabled,
it changes system behaviour and allows any regular
user to perform requests with admin credentials.
In functional tests the default value was set
to True to prevent possible failures in the future.
Besides, several admin authN parameters were
deprecated as well, because they are useless without
'use_user_token'.
All required information was added to related
documentation sections, sample config file was
updated as well.
https://wiki.openstack.org/wiki/OSSN/OSSN-0060
Change-Id: Icfef49d787fa58e2af2e60e4fdc96633c5f0c010
Related-bug: #1493448
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1493448
Title:
All operations are perfomed with admin priveleges when
'use_user_token' is False
Status in Glance:
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
In glance-api.conf we have a param called 'use_user_token' which is
enabled by default. It was introduced to allow for reauthentication
when tokens expire and prevents requests from silently failing.
https://review.openstack.org/#/c/29967/
Unfortunately disabling this parameter leads to security issues and
allows a regular user to perform any operation with admin rights.
Steps to reproduce on devstack:
1. Change /etc/glance/glance-api.conf parameters and restart glance-api:
# Pass the user's token through for API requests to the registry.
# Default: True
use_user_token = False
# If 'use_user_token' is not in effect then admin credentials
# can be specified. Requests to the registry on behalf of
# the API will use these credentials.
# Admin user name
admin_user = glance
# Admin password
admin_password = nova
# Admin tenant name
admin_tenant_name = service
# Keystone endpoint
auth_url = http://127.0.0.1:5000/v2.0
(for v2 api it's required to enable registry service, too: data_api =
glance.db.registry.api)
2. Create a private image with admin user:
source openrc admin admin
glance --os-image-api-version 1 image-create --name private --is-public False --disk-format qcow2 --container-format bare --file /etc/fstab
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | e533283e6aac072533d1d091a7d2e413 |
| container_format | bare |
| created_at | 2015-09-01T22:17:25.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4dfaaece11b623f3c680 |
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-01T22:17:27.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
3. Check the image list with admin user:
glance --os-image-api-version 1 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec | ami | ami | 25165824 | active |
| c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel | aki | aki | 4979632 | active |
| de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari | ari | 3740163 | active |
| e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private | qcow2 | bare | 616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
4. Enable demo user and get the image list:
source openrc demo demo
glance --os-image-api-version 1 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec | ami | ami | 25165824 | active |
| c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel | aki | aki | 4979632 | active |
| de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari | ari | 3740163 | active |
| e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private | qcow2 | bare | 616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
5. Try to get access to admin's private image with demo user:
glance --os-image-api-version 1 image-show private
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | e533283e6aac072533d1d091a7d2e413 |
| container_format | bare |
| created_at | 2015-09-01T22:17:25.000000 |
| deleted | False |
| disk_format | qcow2 |
| id | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4dfaaece11b623f3c680 |
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-01T22:17:27.000000 |
+------------------+--------------------------------------+
The same happens when demo user wants to create/update/delete any
image. v2 with enabled registry backend is affected too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1493448/+subscriptions
More information about the Openstack-security
mailing list