[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!

Martinx - ジェームズ thiagocmartinsc at gmail.com
Mon Dec 23 20:57:24 UTC 2013


Hi Diego!

I did not reinstall OpenStack components or Compute Node... It was a fresh
install, that I started using into production.

I already did this before, I mean, reinstall things without formatting the
server but, I always remove all the remaining instances, with virt-manager,
before starting it over again, but not this time.

This security breach is happening right now here and I don't know what can
I do to fix it, or what should I type on a BUG at Launchpad...

*This problem is very serious*, mostly because "Tenant A" can't see its own
instances, so, he is unable to use the OpenStack anymore and, "Tenant B"
isn't aware that someone else is accessing its Instances without his
permission.

I'm sure that this problem is worth to take a look by someone more expert
than I.

Tks!
Thiago


On 23 December 2013 18:12, Diego Parrilla Santamaría <
diego.parrilla.santamaria at gmail.com> wrote:

> Did you reinstall your system? If so, are you sure you deleted the
> previous running VMs in the compute server?
>
> I have seen this before when trying to launch a VM and thers are
> 'forgotten' VMs running with the same uuid in libvirt+kvm.
>
> If it's a bug, it's really a good one...
>
> Cheers
> Diego
>
>  --
> Diego Parrilla
> <http://www.stackops.com/>*CEO*
> *www.stackops.com <http://www.stackops.com/> | *
> diego.parrilla at stackops.com | US: +1 (512) 646-0068  | EU: +34 91 005-2164|
> skype:diegoparrilla
>
>
>
>
> On Mon, Dec 23, 2013 at 8:56 PM, Martinx - ジェームズ <
> thiagocmartinsc at gmail.com> wrote:
>
>> Hi!
>>
>>
>> On 23 December 2013 16:53, gustavo panizzo <gfa> <gfa at zumbi.com.ar>wrote:
>>
>>> is the user member of the two tenants?
>>>
>>
>> No. "Tenant B" have only, and only one user. I never created a user that
>> belongs to more than 1 tenant, my cloud is very simple and small. And
>> "Tenant A" user is a member of its own Project, not two.
>>
>> Only my "Tenant C", have *two users* but, no user belongs to two
>> tenants. I'm quite sure about this.
>>
>> Anyway, you made me a interesting question, how can I see the that? I
>> mean, is there a command option to list all the tenants that a user is
>> member of? I can see the keystone options like "user-role-list", or
>> "tenant-get" but, I can't find a option to list the tenants that a user is
>> a member of. Tips?!
>>
>> Tks!
>>
>>
>>>  "Martinx - ジェームズ" <thiagocmartinsc at gmail.com> wrote:
>>>
>>>>  Stackers!
>>>>
>>>> I need a bit help here...
>>>>
>>>> My OpenStack Havana (Ubuntu 12.04.3) was working smoothly and, I don't
>>>> know what had happened here but, now, I'm seeing some weird problems.
>>>>
>>>> Right now, the "Tenant A" is seeing the VNC Consoles of "Tenant B" !!!
>>>>
>>>> How is that even possible?! There is no authentication here to deal
>>>> with this kind of things!? I'm really worried about this.
>>>>
>>>> Look:
>>>>
>>>> "Tenant A" Instances:
>>>>
>>>> [image: Inline images 1]
>>>>
>>>>
>>>> "Tenant A" accessing the VNC Console of a "Tenant B" Instance!!!
>>>>
>>>> [image: Inline images 2]
>>>>
>>>>
>>>> This is a very serious problem, since I'm giving to the "Tenant A",
>>>> almost total access to "Tenant B" Instances!! This kind of situation should
>>>> NEVER occur!
>>>>
>>>> What can I do to completely block this?
>>>>
>>>> I just started a new Instance for "Tenant A", and I'm seeing ANOTHER
>>>> VNC Console from "Tenant B"!!
>>>>
>>>> Regards,
>>>> Thiago
>>>>
>>>> ------------------------------
>>>>
>>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>
>>>>
>>>>
>>>>
>>>>
>>> --
>>> 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333
>>>
>>
>>
>> _______________________________________________
>>
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131223/309c3070/attachment.html>


More information about the Openstack mailing list