OpenStack Identity (keystone)

policy cloudsample checks on is_admin_project

Bug #1735554 reported by Adam Young on 2017-11-30

16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Confirmed	Medium	Unassigned
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

IN an attempt to keep the cloud sample file backwards compatible, the cloud_admin rule was modified like this:

"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",

This is wrong: the cloud sample is managing admin based on an admin domain, and a domain scoped token will never have is_admin_project: True in it. However, the migration path has ALL tokens tagged this way, and this will violate the security of the file.

This is not a problem yet, as the "is_admin_project" flag is going to be enforced by oslo-context, and that has not yet been integrated into the policy check in keystone. If it were, this would be a security hole.

I think this bug can be made public, but starting with it as private until it is reviewed.

See original description

Revision history for this message

Jeremy Stanley (fungi) wrote on 2017-11-30:

#1

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete
description:	updated

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-12-01:

#2

I agree with Adam, this is not a current security bug. This is likely a Class B3 or Class D [1] and can be made public. The feature that is impacted is at best experimental / not fully implemented as Adam said.
I would like to have another core-sec weigh in though.

[1] https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Revision history for this message

Harry Rybacki (hrybacki-h) wrote on 2017-12-01:

#3

I agree with Adam and Morgan's assessment. Adding Luke Hinds as Sec-PTL for further input.

Revision history for this message

Luke Hinds (lhinds) wrote on 2017-12-01:

#4

If it relies on a feature not yet landed, I see no reason not to go public.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2017-12-01:

#5

Since we have some consensus this is not a vulnerability in a production-ready feature of any released versions, I've switched the report to public and triaged our security advisory task won't-fix accordingly.

description:	updated
Changed in ossa:
status:	Incomplete → Won't Fix
information type:	Private Security → Public

Revision history for this message

Adam Young (ayoung) wrote on 2017-12-05:

#6

To mark this as fixed, we should update the cloudsample to clearly dileneate between the two versions. If someone is using cloud sample, they probably don't need is_admin_project, and we can just remove it.

Lance Bragstad (lbragstad) on 2018-01-08

Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.