OpenStack Identity (keystone)

Project admin gets treated as Global Admin with Secure RBAC

Bug #1933271 reported by Erno Kuvaja
This bug report is a duplicate of:  Bug #968696: "admin"-ness not properly scoped. Edit Remove
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
New
Undecided
Unassigned
OpenStack Security Advisory
Incomplete
Undecided
Unassigned

Bug Description

This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2021-09-20 and will be made
public by or on that date even if no fix is identified.

stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<snip>
OS_IDENTITY_API_VERSION=3
stack@ubnt-devstack:~/devstack$ openstack user show demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| email | <email address hidden> |
| enabled | False |
| id | 960e1d31f46a46a5bc0512ff9e5416b3 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
stack@ubnt-devstack:~/devstack$ openstack user set --enable demo
stack@ubnt-devstack:~/devstack$ openstack user show demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | 960e1d31f46a46a5bc0512ff9e5416b3 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+

NOTE that the privtest user used here has no other affiliations nor roles than admin in privilege-test@Default.

Not sure how far this goes in Keystone but based on the scope I've been poking at, I'd assume it's global.

See original description
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Gage Hugo (gagehugo) wrote :

I believe this is a duplicate of https://bugs.launchpad.net/keystone/+bug/968696 which has been worked on over many years now across most openstack projects.

The "fix" for this is to define more specific roles rather than giving people the "admin" role or assigning them to the "admin project". At least until the efforts with 968696 are completed.

Revision history for this message
Gage Hugo (gagehugo) wrote :

I'm leaning towards marking this as public due to the information being publicly known (for many years now) via 968696.

Gage Hugo (gagehugo)
information type: Private Security → Public Security
Revision history for this message
Erno Kuvaja (jokke) wrote (last edit ):

The 968696 was confirmed "Fix Released" in train so I do assume this is new issue or regression, right? Specially as the problem is not documented anywhere.

Note that the Keystone Admin Guide [0] states:
"""We reserve the admin role for the most privileged operations within a given scope.""" and """Users with admin on a project shouldn’t be able to manage things outside the project because it would violate the tenancy of their role assignment (this doesn’t apply consistently since services are addressing this individually at their own pace)."""

And after that it lists the personas it applies consistently since Train. In no means it even hints that the issue is known or Keystone itself would not honour the Persona boundaries.

[0] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

Revision history for this message
Gage Hugo (gagehugo) wrote :

The documentation can definitely be improved here, specifically calling out "enforce_scope". A note or warning on that[0] page would probably be good.

[0] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.