Ceilometer user in service tenant cannot access EventsController::get_all without admin role.

Bug #1448599 reported by Shunli Zhou
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ceilometer
Fix Released
Undecided
Unassigned

Bug Description

Without admin role, ceilometer user in service tenant cannot access EventsController::get_all.
This doesn't make sense.

For an openstack service to access other services, such as nova to access ceilometer. It's better to use the ceilometer user without admin role to avoid some pertential security problems, only the service role is enough.

Only ceilometer user in service tenant with admin role can access EventsController::get_all will prevent other service to user service user without admin role to retrieve events.

Revision history for this message
Shunli Zhou (shunliz) wrote :

Services interact need assign ceilometer user admin role in service tenant, such as this patch in cookbook https://review.openstack.org/#/c/176663/ to workaround this problem.

information type: Private Security → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

You currently have this open as a security bug, indicating you believe it represents an exploitable vulnerability in the software. Can you elaborate on the circumstances under which this bug might be exploited by a malicious actor, and the risks it implies?

Revision history for this message
Shunli Zhou (shunliz) wrote :

Maybe this is just a improper user right problems.

The case I can think of:
A service only need to view the ceilometer event list, but cluster admin has to give the service admin rights. Then the service can get data only admin has right.

I'm not sure this can be tagged as a security bug. I think it's definitely a improper user right setting problem.
If you think this is not a security bug, we can remove the security tag.

Revision history for this message
gordon chung (chungg) wrote :

the reason ceilometer requires admin role to access events is to ensure audit events are only visible to admin users. i assume there is a lack of flexibility here and we need some way to tag events.

Revision history for this message
Shunli Zhou (shunliz) wrote :
Revision history for this message
gordon chung (chungg) wrote :

this is addressed by: blueprint events-rbac

Changed in ceilometer:
status: New → Fix Committed
Thierry Carrez (ttx)
Changed in ceilometer:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in ceilometer:
milestone: liberty-3 → 5.0.0
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.