| 2021-06-22 20:32:08 |
Erno Kuvaja |
bug |
|
|
added bug |
| 2021-06-22 20:42:20 |
Erno Kuvaja |
description |
User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email priv-test@example.com --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | priv-test@example.com |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | True |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:00:53Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | False |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:49:01Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user. |
User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email priv-test@example.com --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | priv-test@example.com |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | True |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:00:53Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | False |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:49:01Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.
This behaviour is not just limited to Secure RBAC but carried over to it and more likely used. |
|
| 2021-06-22 21:24:07 |
Erno Kuvaja |
nominated for series |
|
glance/wallaby |
|
| 2021-06-22 21:24:07 |
Erno Kuvaja |
bug task added |
|
glance/wallaby |
|
| 2021-06-22 21:24:07 |
Erno Kuvaja |
nominated for series |
|
glance/xena |
|
| 2021-06-22 21:24:07 |
Erno Kuvaja |
bug task added |
|
glance/xena |
|
| 2021-06-22 21:25:13 |
Erno Kuvaja |
description |
User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email priv-test@example.com --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | priv-test@example.com |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | True |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:00:53Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | False |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:49:01Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.
This behaviour is not just limited to Secure RBAC but carried over to it and more likely used. |
User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email priv-test@example.com --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | priv-test@example.com |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | True |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:00:53Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | False |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:49:01Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.
This behaviour is not just limited to Secure RBAC but carried over to it and more likely used. |
|
| 2021-06-22 22:08:26 |
Jeremy Stanley |
description |
User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email priv-test@example.com --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | priv-test@example.com |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | True |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:00:53Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | False |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:49:01Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.
This behaviour is not just limited to Secure RBAC but carried over to it and more likely used. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2021-09-20 and will be made
public by or on that date even if no fix is identified.
User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email priv-test@example.com --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | priv-test@example.com |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | True |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:00:53Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | False |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:49:01Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.
This behaviour is not just limited to Secure RBAC but carried over to it and more likely used. |
|
| 2021-06-22 22:09:59 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2021-06-22 22:10:15 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2021-06-22 22:11:21 |
Jeremy Stanley |
bug |
|
|
added subscriber Glance Core security contacts |
| 2021-06-23 05:17:29 |
Abhishek Kekane |
bug |
|
|
added subscriber Dan Smith |
| 2021-07-04 15:41:59 |
Gage Hugo |
information type |
Private Security |
Public Security |
|
| 2021-07-09 13:24:11 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2021-09-20 and will be made
public by or on that date even if no fix is identified.
User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email priv-test@example.com --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | priv-test@example.com |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | True |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:00:53Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | False |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:49:01Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.
This behaviour is not just limited to Secure RBAC but carried over to it and more likely used. |
User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.
Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.
stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.
stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email priv-test@example.com --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | priv-test@example.com |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project
stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
NOTE: Using the privtest:privilege-test user and project.
stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | True |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:00:53Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum | b874c39491a2377b8490f5f1e89761a4 |
| container_format | bare |
| created_at | 2021-06-22T18:34:43Z |
| disk_format | qcow2 |
| hw_rng_model | virtio |
| id | ca2eea09-77f5-4c21-bf32-e7774c4f6b70 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.5.2-x86_64-disk |
| os_hash_algo | sha512 |
| os_hash_value | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
| | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869 |
| os_hidden | False |
| owner | 03ba31a4978e4654a3d185f55711586a |
| owner_specified.openstack.md5 | |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk |
| owner_specified.openstack.sha256 | |
| protected | False |
| size | 16300544 |
| status | active |
| tags | [] |
| updated_at | 2021-06-22T19:49:01Z |
| virtual_size | 117440512 |
| visibility | public |
+----------------------------------+----------------------------------------------------------------------------------+
The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.
Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.
This behaviour is not just limited to Secure RBAC but carried over to it and more likely used. |
|
| 2021-08-05 17:44:04 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
| 2021-08-05 17:46:34 |
Jeremy Stanley |
tags |
|
security |
|
| 2021-08-05 17:46:41 |
Jeremy Stanley |
information type |
Public Security |
Public |
|
