After discussing, the Vulnerability Management Team members have
concluded that the in-progress but incomplete RBAC implementation in
various projects does not rise to the level of requiring a published
security advisory, particularly as this work is likely to take place
primarily in development branches and not be backported to supported
stable branches. Some clearer documentation on behalf of the
implementing projects is likely warranted in order to warn users of the
caveats and potential pitfalls of relying on RBAC in its current state,
but that's separate from whether or not we publish advisories about any
fixes which may merge to complete the implementation.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1933269
Title:
Project admin gets treated as Global Admin with Secure RBAC
Status in Glance:
New
Status in Glance wallaby series:
New
Status in Glance xena series:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
User that has been assigned admin role within their project gets
treated as de-fact admin in Glance even when project scoped "Secure
RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project
scope. If user is granted admin rights within the project scope based
on the Secure RBAC roles model the user gets treated as admin in
Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable
privilege-test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project
privilege-test --password <SNIP> --email priv-t...@example.com
--ignore-change-password-upon-first-use --disable-multi-factor-auth
--enable privtest
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value
|
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97
|
| domain_id | default
|
| email | priv-t...@example.com
|
| enabled | True
|
| id | eb0d6ce9c6bc42ee8962ad97849b38f7
|
| name | privtest
|
| options | {'ignore_change_password_upon_first_use': True,
'multi_factor_auth_enabled': False} |
| password_expires_at | None
|
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project
privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project
| Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default
| | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default
| | | False |
| member | alt_demo@Default | | alt_demo@Default
| | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default
| | | False |
| member | | nonadmins@Default | alt_demo@Default
| | | False |
| anotherrole | | nonadmins@Default | demo@Default
| | | False |
| member | | nonadmins@Default | demo@Default
| | | False |
| admin | nova@Default | | service@Default
| | | False |
| service | nova@Default | | service@Default
| | | False |
| admin | placement@Default | | service@Default
| | | False |
| service | placement@Default | | service@Default
| | | False |
| service | glance@Default | | service@Default
| | | False |
| member | demo@Default | |
invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default
| | | False |
| member | demo@Default | | demo@Default
| | | False |
| service | cinder@Default | | service@Default
| | | False |
| admin | privtest@Default | |
privilege-test@Default | | | False |
| service | neutron@Default | | service@Default
| | | False |
| admin | admin@Default | | admin@Default
| | | False |
| admin | admin@Default | | alt_demo@Default
| | | False |
| admin | admin@Default | | demo@Default
| | | False |
| admin | admin@Default | |
| Default | | False |
| admin | admin@Default | |
| | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in
'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show
ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value
|
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4
|
| container_format | bare
|
| created_at | 2021-06-22T18:34:43Z
|
| disk_format | qcow2
|
| hw_rng_model | virtio
|
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70
|
| min_disk | 0
|
| min_ram | 0
|
| name | cirros-0.5.2-x86_64-disk
|
| os_hash_algo | sha512
|
| os_hash_value |
6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622
|
| |
5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869
|
| os_hidden | False
|
| owner | 03ba31a4978e4654a3d185f55711586a
|
| owner_specified.openstack.md5 |
|
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk
|
| owner_specified.openstack.sha256 |
|
| protected | True
|
| size | 16300544
|
| status | active
|
| tags | []
|
| updated_at | 2021-06-22T19:00:53Z
|
| virtual_size | 117440512
|
| visibility | public
|
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False
ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value
|
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4
|
| container_format | bare
|
| created_at | 2021-06-22T18:34:43Z
|
| disk_format | qcow2
|
| hw_rng_model | virtio
|
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70
|
| min_disk | 0
|
| min_ram | 0
|
| name | cirros-0.5.2-x86_64-disk
|
| os_hash_algo | sha512
|
| os_hash_value |
6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622
|
| |
5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869
|
| os_hidden | False
|
| owner | 03ba31a4978e4654a3d185f55711586a
|
| owner_specified.openstack.md5 |
|
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk
|
| owner_specified.openstack.sha256 |
|
| protected | False
|
| size | 16300544
|
| status | active
|
| tags | []
|
| updated_at | 2021-06-22T19:49:01Z
|
| virtual_size | 117440512
|
| visibility | public
|
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can
compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within
any of the 3 scopes (Project, Domain or System) grants full admin
privileges in Glance for that user.
This behaviour is not just limited to Secure RBAC but carried over to
it and more likely used.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1933269/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
