Cinder

DB access to show volumes may not be properly controlled

Bug #1477625 reported by Jay Bryant on 2015-07-23

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Medium	Kuo-tung Kao (jelly)	Cinder 7.0.0 "liberty"

Bug Description

This bug was opened to note the fact that a user can show details for a volume they don't own in the case that they had the UUID of the volume: https://launchpad.net/bugs/1475422 This was recreated in the following manner:

When non-admin users know the volume uuid in the non-authorized tenant, they can get the volume information.

% OS_USERNAME=admin OS_TENANT_NAME=admin cinder list
+--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+
| ID | Status | Name | Size | Volume Type | Bootable | Multiattach | Attached to |
+--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+
| 775fafb7-a2ee-497f-9b72-a5467f2cabd4 | available | a1 | 1 | lvmdriver-2 | false | False | |
+--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+

% OS_USERNAME=demo OS_TENANT_NAME=admin cinder list
ERROR: User 3688045ce23b4859af1c4ede57d63d4d is unauthorized for tenant 0076ae66c26e4614b8de5d453289d2e5 (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-f293f1c8-0801-41b8-ae2a-c5a79ee2a43f)

% OS_USERNAME=demo cinder show 775fafb7-a2ee-497f-9b72-a5467f2cabd4
+---------------------------------------+--------------------------------------+
| Property | Value |
+---------------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2015-07-14T21:28:40.000000 |
| description | None |
| encrypted | False |
| id | 775fafb7-a2ee-497f-9b72-a5467f2cabd4 |
| metadata | {} |
| multiattach | False |
| name | a1 |
| os-vol-tenant-attr:tenant_id | 0076ae66c26e4614b8de5d453289d2e5 |
| os-volume-replication:driver_data | None |
| os-volume-replication:extended_status | None |
| replication_status | disabled |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| user_id | 030ccc6b1eb546598d8c13512b99ab97 |
| volume_type | lvmdriver-2 |
+---------------------------------------+--------------------------------------+

In this example, demo user can get info of the "a1" volume in the "admin" tenant
(tenant-id = 0076ae66c26e4614b8de5d453289d2e5) where demo user is not authorized to access.

This problem can be circumvented by limiting the policy to 'rule:admin_or_owner' but we should investigate if there is a way to avoid this happening at the DB API level.

Tags:

Kuo-tung Kao (jelly) (coding1314) on 2015-07-28

Changed in cinder:
assignee:	nobody → jelly (coding1314)
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-28: Fix proposed to cinder (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/206450

Changed in cinder:
status:	Confirmed → In Progress

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-07-31:

#2

Hi, guys. I am working on the bug. And there are many ways to solve the bug. The first way is https://review.openstack.org/#/c/206450/1/cinder/volume/api.py . Pros: Easy to implement. Only one database connection. Cons: Just a workaround. The second way is https://review.openstack.org/#/c/206450/2/cinder/volume/api.py . Pros: The code seems to be better. Cons: It needs extra database connection. Any suggestion for solve the issue ?

Jay Bryant (jsbryant) on 2015-07-31

Changed in cinder:
importance:	Undecided → Medium
milestone:	none → liberty-3

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-08-03:

#3

I list some solutions for the bug. https://gist.github.com/ya790206/ea5e6b980ae1a472411a

Revision history for this message

Scott DAngelo (scott-dangelo) wrote on 2015-08-04:

#4

jelly, we discussed this at the mid-cycle. Your latest patch (#2) looks fine to everyone. Please remove the WIP and fix the commit message issue the JayBryant has pointed out and people will continue to review.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-14: Fix merged to cinder (master)

#5

Reviewed: https://review.openstack.org/206450
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=b7c7bb8f951d6d5155f70887282ddb9e4fd2a3fb
Submitter: Jenkins
Branch: master

commit b7c7bb8f951d6d5155f70887282ddb9e4fd2a3fb
Author: Kuo-tung Kao <email address hidden>
Date: Tue Jul 28 17:44:57 2015 +0800

Don't use context.elevated to get volume

    Original Problem:
    =================
    Since the metadata(readonly and attached_mode) is stored in admin metadata,
    normal user need `run context.elevated` to retrieves admin metadata.
    The above way will bring a side effect. Normal user can also get
    any volume which the user shouldn't access when the user knows the UUID.

    Solution:
    =========
    Use context instead of context.elevated to get volume.
    And add admin metadata to it.
    Based on cinder-meetup-summer-2015 conclusion, we use the solution.
    The solution will need extra database connection.

Change-Id: I06f21e7578b65a59c0fe4d3afe0e882ed73c4725
Closes-Bug: #1477625

Changed in cinder:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-03

Changed in cinder:
status:	Fix Committed → Fix Released

Hiroyuki Eguchi (h-eguchi) on 2015-09-30

no longer affects:	cinder (Ubuntu)
tags:	added: kilo-backport-potential

Thierry Carrez (ttx) on 2015-10-15

Changed in cinder:
milestone:	liberty-3 → 7.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.