Mirantis OpenStack

Non-admin users can get volumes in non-authorized tenants

Bug #1477507 reported by Yuriy Nesenenko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
High
Yuriy Nesenenko
Mirantis OpenStack 7.0

Bug Description

When non-admin users know the volume uuid in the non-authorized tenant, they can get the volume information.

% OS_USERNAME=admin OS_TENANT_NAME=admin cinder list
+--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+
| ID | Status | Name | Size | Volume Type | Bootable | Multiattach | Attached to |
+--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+
| 775fafb7-a2ee-497f-9b72-a5467f2cabd4 | available | a1 | 1 | lvmdriver-2 | false | False | |
+--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+

% OS_USERNAME=demo OS_TENANT_NAME=admin cinder list
ERROR: User 3688045ce23b4859af1c4ede57d63d4d is unauthorized for tenant 0076ae66c26e4614b8de5d453289d2e5 (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-f293f1c8-0801-41b8-ae2a-c5a79ee2a43f)

% OS_USERNAME=demo cinder show 775fafb7-a2ee-497f-9b72-a5467f2cabd4
+---------------------------------------+--------------------------------------+
| Property | Value |
+---------------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2015-07-14T21:28:40.000000 |
| description | None |
| encrypted | False |
| id | 775fafb7-a2ee-497f-9b72-a5467f2cabd4 |
| metadata | {} |
| multiattach | False |
| name | a1 |
| os-vol-tenant-attr:tenant_id | 0076ae66c26e4614b8de5d453289d2e5 |
| os-volume-replication:driver_data | None |
| os-volume-replication:extended_status | None |
| replication_status | disabled |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| user_id | 030ccc6b1eb546598d8c13512b99ab97 |
| volume_type | lvmdriver-2 |
+---------------------------------------+--------------------------------------+

In this example, demo user can get info of the "a1" volume in the "admin" tenant
(tenant-id = 0076ae66c26e4614b8de5d453289d2e5) where demo user is not authorized to access.

Upstream bug: https://bugs.launchpad.net/cinder/+bug/1475422

Tags: cinder
Yuriy Nesenenko (ynesenenko)
Changed in mos:
status: New → In Progress
assignee: nobody → Yuriy Nesenenko (ynesenenko)
importance: Undecided → High
milestone: none → 7.0
tags: added: cinder
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/cinder (master)

Fix proposed to branch: master
Change author: Yuriy Nesenenko <email address hidden>
Review: https://review.fuel-infra.org/9817

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/cinder (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Yuriy Nesenenko <email address hidden>
Review: https://review.fuel-infra.org/9878

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/cinder (master)

Change abandoned by Yuriy Nesenenko <email address hidden> on branch: master
Review: https://review.fuel-infra.org/9817
Reason: wrong branch

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/cinder (openstack-ci/fuel-7.0/2015.1.0)

Reviewed: https://review.fuel-infra.org/9878
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: ecfe2761fcb10dc16efcdca25a48947829697919
Author: Yuriy Nesenenko <email address hidden>
Date: Mon Jul 27 12:47:22 2015

Set default policy for "volume:get"

When non-admin users know the volume uuid in the non-authorized tenant,
they can get the volume information because policy not defined for
"volume:get". It's necessary to set policy to "rule:admin_or_owner"
for "volume:get" by default.

Change-Id: I212fdb21e4ddca2390337e0678915a5b1d8f086a
Closes-bug: #1477507

Ivan Kolodyazhny (e0ne)
Changed in mos:
status: In Progress → Fix Committed
Alexander Chudnovets (achudnovets)
tags: added: on-verification
Revision history for this message
Alexander Chudnovets (achudnovets) wrote :

Verified it on MOS 7.0 (buld 224) - fixed
ENV: Ubuntu - Neutron VLAN - 1 controller, 2 computes with Cinder
Proof: https://paste.mirantis.net/show/985/

Changed in mos:
status: Fix Committed → Fix Released
Alexander Chudnovets (achudnovets)
tags: removed: on-verification
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/cinder (openstack-ci/fuel-8.0/liberty)

Fix proposed to branch: openstack-ci/fuel-8.0/liberty
Change author: Yuriy Nesenenko <email address hidden>
Review: https://review.fuel-infra.org/13330

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/cinder (openstack-ci/fuel-8.0/liberty)

Change abandoned by Ivan Kolodyazhny <email address hidden> on branch: openstack-ci/fuel-8.0/liberty
Review: https://review.fuel-infra.org/13330
Reason: It's already synced from stable/liberty

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.