cross project copy succeeded without service token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Critical
|
Donagh McCabe | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
A copy request which has Destination-Account is SERVICE_
a put request to SERVICE_
With this behavior data in SERVICE_
$ curl -i -X COPY -H "X-Auth-Token: $TOKEN" -H "Destination: e5aee7b3628641c
HTTP/1.1 201 Created
Content-Length: 0
X-Copied-
X-Copied-From: e1e004a9abd4465
Last-Modified: Thu, 06 Aug 2015 22:17:11 GMT
Etag: 2debfdcf79f03e4
X-Copied-
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx8dc1432944464
Date: Thu, 06 Aug 2015 22:17:10 GMT
Changed in swift: | |
assignee: | nobody → Hisashi Osanai (osanai-hisashi) |
Changed in swift: | |
milestone: | none → 2.5.0 |
status: | Fix Committed → Fix Released |
description: | updated |
Hisashi, did you use tempauth or keystoneauth for the authentication? Did you set ACLs on the destination container?
I tested this using tempauth, and in fact the behavior is somewhat strange, if not broken. I used the following tempauth config:
[filter:tempauth] require_ group = .service
use = egg:swift#tempauth
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin
user_test_tester3 = testing3
reseller_prefix = AUTH, SERVICE
SERVICE_
user_glance_glance = glancepw .service
1. If I set an ACL on a container owned by the glance service account for test:tester3 it can be accessed without any service token at all. This might be ok - at least it is the same behavior with other, non-service accounts. However, if it is ok the documentation needs an update:
https:/ /github. com/openstack/ swift/blob/ 89397c5b679c2ad 20f96fc81d8de6b 1bf86482a6/ swift/common/ middleware/ tempauth. py#L93- L115
2. If no ACL is set the access is denied both with and without a service token. Looking at the code I would expect that a request with a valid service token should grant administrator access.
https:/ /github. com/openstack/ swift/blob/ 89397c5b679c2ad 20f96fc81d8de6b 1bf86482a6/ swift/common/ middleware/ tempauth. py#L506
The variable "account" is actually "SERVICE_glance", and the groups are "['test', 'test:tester3', 'glance', 'glance:glance', '.service']". However, if this would be changed a request with a service token would not need a ACL at all; thus giving administrator/owner access to the test:tester3 user with a valid service token. Not sure if this is wanted either?
I didn't test this with the keystoneauth middleware yet.