[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!

Martinx - ジェームズ thiagocmartinsc at gmail.com
Mon Dec 23 19:56:43 UTC 2013 

Hi!


On 23 December 2013 16:53, gustavo panizzo <gfa> <gfa at zumbi.com.ar> wrote:

> is the user member of the two tenants?
>

No. "Tenant B" have only, and only one user. I never created a user that
belongs to more than 1 tenant, my cloud is very simple and small. And
"Tenant A" user is a member of its own Project, not two.

Only my "Tenant C", have *two users* but, no user belongs to two
tenants. I'm quite sure about this.

Anyway, you made me a interesting question, how can I see the that? I mean,
is there a command option to list all the tenants that a user is member of?
I can see the keystone options like "user-role-list", or "tenant-get" but,
I can't find a option to list the tenants that a user is a member of. Tips?!

Tks!


> "Martinx - ジェームズ" <thiagocmartinsc at gmail.com> wrote:
>
>>  Stackers!
>>
>> I need a bit help here...
>>
>> My OpenStack Havana (Ubuntu 12.04.3) was working smoothly and, I don't
>> know what had happened here but, now, I'm seeing some weird problems.
>>
>> Right now, the "Tenant A" is seeing the VNC Consoles of "Tenant B" !!!
>>
>> How is that even possible?! There is no authentication here to deal with
>> this kind of things!? I'm really worried about this.
>>
>> Look:
>>
>> "Tenant A" Instances:
>>
>> [image: Inline images 1]
>>
>>
>> "Tenant A" accessing the VNC Console of a "Tenant B" Instance!!!
>>
>> [image: Inline images 2]
>>
>>
>> This is a very serious problem, since I'm giving to the "Tenant A",
>> almost total access to "Tenant B" Instances!! This kind of situation should
>> NEVER occur!
>>
>> What can I do to completely block this?
>>
>> I just started a new Instance for "Tenant A", and I'm seeing ANOTHER VNC
>> Console from "Tenant B"!!
>>
>> Regards,
>> Thiago
>>
>> ------------------------------
>>
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
> --
> 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131223/e3a77be4/attachment.html>

More information about the Openstack mailing list