python-keystoneclient

double check admin password when update user password

Bug #1387372 reported by Cindy Lu
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Cindy Lu
OpenStack Dashboard (Horizon) 2015.1.0 "kilo"
python-keystoneclient
Opinion
Undecided
Unassigned

Bug Description

As an Admin, you can change User passwords (see attached screenshot for Horizon's Edit User modal).

However, it is a security issue that the Admin is not asked for his OWN password when making changes. This issue surfaces when using the Horizon dashboard.

For example if the logged in admin leaves an unattended computer, someone can change the password of the logged in user successfully.

We should add an almost identical method here:
https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L145
with add added admin password verification before changing password.

Then in Horizon, we can add a new field "Admin Password" as a verification that the person changing the password is *really* the logged in user.

Copying the response from the patch to give context on the change requested: While I agree that this patch does not provide a complete solution, it does close a hole which is typically caught and flagged when security audits are done on systems running in large enterprises. We have already see a real example of this being caught at an enterprise during a security audit. The shorter timeout solution would not enable the enterprise to pass its security audit. Having this option, even though its is a partial fix, will resolve a very irritating user experience issue that is being encountered. And again its optional but will be much appreciated by certain customer sets.

See original description
Revision history for this message
Cindy Lu (clu-m) wrote :
Revision history for this message
Julie Pichon (jpichon) wrote :

For reference, bug 1226828 which was closed and not deemed a security issue at the time. Doesn't mean it isn't worth revisiting though, it's good keystone is mentioned since we'll want to be matching behaviour.

Kanchan Gupta (kanchan-gupta1)
Changed in python-keystoneclient:
assignee: nobody → Kanchan Gupta (kanchan-gupta1)
Changed in horizon:
assignee: nobody → Kanchan Gupta (kanchan-gupta1)
Revision history for this message
Steve Martinelli (stevemar) wrote :

From a keystoneclient point of view, i'm not sure if makes sense to provide a new API.

Would it be possible to have a new textbox in the screen shot @clu-m provided, asking for the current users pasword?
Then based on request.user.<data> attempt to instantiate a new client isntance, like here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/client.py#L84-L89

If the wrong password is provided, an exception will be raised, and we know it's the wrong user. Otherwise proceed with the password change.

Revision history for this message
Cindy Lu (clu-m) wrote :

Thanks Steve!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/136874

Changed in horizon:
assignee: Kanchan Gupta (kanchan-gupta1) → Cindy Lu (clu-m)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in horizon:
assignee: Cindy Lu (clu-m) → Steve Martinelli (stevemar)
OpenStack Infra (hudson-openstack)
Changed in horizon:
assignee: Steve Martinelli (stevemar) → Cindy Lu (clu-m)
Revision history for this message
Doug Fish (drfish) wrote :

Hey Steve, I harassed Cindy in the code review, but why are we doing this Horizon-only? It seems to me that 'keystone user-password-update' (and ultimately the API behind it) has the same vulnerability.

Revision history for this message
Steve Martinelli (stevemar) wrote :

Hey Doug, I replied over at: https://review.openstack.org/#/c/136874/

Revision history for this message
Doug Fish (drfish) wrote :

Steve, thanks for clarifying the issues around this fix. I've updated the code review with a summary of our discussion.

Changed in horizon:
importance: Undecided → Medium
milestone: none → kilo-1
Kanchan Gupta (kanchan-gupta1)
Changed in python-keystoneclient:
assignee: Kanchan Gupta (kanchan-gupta1) → nobody
Steve Martinelli (stevemar)
Changed in python-keystoneclient:
status: New → Opinion
Lin Hua Cheng (lin-hua-cheng)
description: updated
Thierry Carrez (ttx)
Changed in horizon:
milestone: kilo-1 → kilo-2
Thierry Carrez (ttx)
Changed in horizon:
milestone: kilo-2 → kilo-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/136874
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=4198cbf87d364227f6f033ef7105dc0302951be1
Submitter: Jenkins
Branch: master

commit 4198cbf87d364227f6f033ef7105dc0302951be1
Author: Cindy Lu <email address hidden>
Date: Tue Feb 24 15:23:50 2015 -0800

    Double check admin password when update user password

    Add a new setting to enable a new textbox field on the Change
    Password form that will double check the logged-in Admin
    user's password.

    For example if the logged-in admin leaves an unattended computer,
    someone can change the password of the logged in user successfully.

    Co-Authored-By: Steve Martinelli <email address hidden>

    Change-Id: Icafa8ce8ab30ec43d3f6419a77118a634a163870
    Closes-Bug: #1387372

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.