New user wrongly given access permissions to databases
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack DBaaS (Trove) |
Fix Released
|
High
|
Petr Malik | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Running the trove client against the Icehouse service I have encountered the following odd situation:
Create a datastore instance with, say two databases and a user:
$ trove create nextTestdb 1 --size 1 --databases DbOne DbTwo --users Bob:AVeryBadPas
+------
| Property | Value |
+------
| created | 2014-10-14T03:14:46 |
| datastore | MySQL |
| datastore_version | 5.5 |
| flavor | 1 |
| hostname | cqhuwzshhzz.
| id | 66d95162-
| name | nextTestdb |
| status | BUILD |
| updated | 2014-10-14T03:14:46 |
| volume | 1 |
+------
Then change the user Bob's name:
$ trove user-update-
Just to show the ordinary permissions for a new user, create one called, say, Ben:
$ trove user-create 66d95162-
$ trove user-list 66d95162-
+------
| Name | Host | Databases |
+------
| Ben | % | |
| VaderJakob | % | DbOne, DbTwo |
+------
Now create a new user, named Bob:
$ trove user-create 66d95162-
$ trove user-list 66d95162-
+------
| Name | Host | Databases |
+------
| Ben | % | |
| Bob | % | DbOne, DbTwo |
| VaderJakob | % | DbOne, DbTwo |
+------
And it can be seen that Bob has picked up access rights to the databases that the old user Bob used to have before he/she/it was renamed to VaderJakob. Which is, IMHO wrong. I did a search and didn't find a bug report along these lines.
Although a very minor hole, I've taken the liberty of checking the security vulnerability flag, as I think that a user accidentally finding themselves with access to a database that they weren't supposed to see might cause some pain in someone's life.
information type: | Public Security → Public |
Changed in trove: | |
milestone: | kilo-1 → kilo-2 |
Changed in trove: | |
milestone: | kilo-2 → kilo-3 |
Changed in trove: | |
milestone: | kilo-3 → kilo-rc1 |
Changed in trove: | |
milestone: | kilo-rc1 → liberty-1 |
Changed in trove: | |
milestone: | liberty-1 → liberty-2 |
Changed in trove: | |
milestone: | liberty-2 → liberty-3 |
Changed in trove: | |
milestone: | liberty-3 → ongoing |
Changed in trove: | |
milestone: | ongoing → newton-1 |
status: | In Progress → Triaged |
assignee: | Sushil Kumar (sushil-kumar2) → nobody |
Changed in trove: | |
assignee: | nobody → Petr Malik (pmalik) |
status: | Triaged → In Progress |
Hi Martin,
Thanks for your bug report. I agree. It looks like this could have security implications. I've added an OSSA task to the bug and marked it incomplete pending confirmation from a member of the Trove coresec team.