[Openstack-security] [Bug 1842930] Re: Deleted user still can delete volumes in Horizon

Jeremy Stanley fungi at yuggoth.org
Thu Sep 19 14:51:22 UTC 2019 

Thanks, I'm marking our security advisory task "won't fix" and lifting
the private embargo, treating this as a class D report indicating a need
for documentation improvements: https://security.openstack.org/vmt-
process.html#incident-report-taxonomy

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  ==Problem==
  User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.
  
  ==Steps to reproduce==
  Install OpenStack following official docs for Stein.
  Login as admin to (Horizon) in one browser.
  Create a user with role 'member' and assign it to a project.
  Open another browser and login as created user.
  As admin user delete created user from "first" browser.
  Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.
  
  ==Expected result==
  User session in current browser is closed after user is deleted in another browser.
  I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).
  
  ==Environment==
  OpenStack Stein
  rpm -qa | grep -i stein
  centos-release-openstack-stein-1-1.el7.centos.noarch
  
  cat /etc/redhat-release
  CentOS Linux release 7.6.1810 (Core)
  
   rpm -qa | grep -i horizon
  python2-django-horizon-15.1.0-1.el7.noarch
  
  rpm -qa | grep -i dashboard
  openstack-dashboard-15.1.0-1.el7.noarch
  openstack-dashboard-theme-15.1.0-1.el7.noarch

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1842930

Title:
  Deleted user still can delete volumes in Horizon

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  ==Problem==
  User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.

  ==Steps to reproduce==
  Install OpenStack following official docs for Stein.
  Login as admin to (Horizon) in one browser.
  Create a user with role 'member' and assign it to a project.
  Open another browser and login as created user.
  As admin user delete created user from "first" browser.
  Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.

  ==Expected result==
  User session in current browser is closed after user is deleted in another browser.
  I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).

  ==Environment==
  OpenStack Stein
  rpm -qa | grep -i stein
  centos-release-openstack-stein-1-1.el7.centos.noarch

  cat /etc/redhat-release
  CentOS Linux release 7.6.1810 (Core)

   rpm -qa | grep -i horizon
  python2-django-horizon-15.1.0-1.el7.noarch

  rpm -qa | grep -i dashboard
  openstack-dashboard-15.1.0-1.el7.noarch
  openstack-dashboard-theme-15.1.0-1.el7.noarch

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1842930/+subscriptions

More information about the Openstack-security mailing list