OpenStack Dashboard (Horizon)

Horizon doesn't provide ACL on Instance level

Bug #1975830 reported by Jiří Kozlovský on 2022-05-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	New	Undecided	Unassigned

Bug Description

Hi,

we use Horizon in our company with 2k+ employees and I was assigned into a common Project, where many of my colleagues have legitimate access. However, I'm running a "private" instance, which contains sensitive data, such as LDAP login, issue tracking / GitLab tokens etc.

The problem is that I want to be able to use the Console tab upon my instance when necessary, but that means everyone else in the same project have access to the Console of my "private" instance. Which means they can e.g.:
- reboot the instance
- edit grub entry (add `init=/bin/bash` to the `linux` command)
- become limitless
- even if I encrypt the disk first, they could edit the image I run so that I use grub with keylogger from modified Stage1 hence they force me to type the decryption password once it reboots
- essentially no matter what I do, I cannot prevent anyone "physical" access to my "private" instance

This could be solved by creating an Access Control List implementation so that the instance creator could choose who would have access to the instance from the GUI.

I hope it makes sense.

All best,
Jiří

Tags:

Revision history for this message

Jeremy Stanley (fungi) wrote on 2022-05-26:

This seems to be a security-related feature request rather than a vulnerability report, so I'm switching it to a regular public bug type and adding the security tag instead.

information type:	Private Security → Public
tags:	added: security

Revision history for this message

Jiří Kozlovský (jirislav) wrote on 2022-05-26:

Thank you Jeremy for switching it.

I'd like to note that the method of "stealing private data" from other's instance in the same project is just an example. There might be other approaches such as:
- snapshotting the instance / volumes
- booting with rescue image

Naive "solution" seems to be to create one project for every employee who needs "private" instance. But this approach doesn't scale.

Revision history for this message

Ghanshyam Mann (ghanshyammann) wrote on 2022-06-08:

OpenStack access control does not enforced/operate on the user level instead it is at project level. Means Instance creation done by projects and that projects is owner of the instance and can performed all the allowed operation. Here project means any user under that projects.

Even you cannot override policy to enforce the user level access control enforcement. We had few APIs in nova where user level enforcement was done but that we removed but for backward compatibility, we kept few destructive action to be user level enforcement. But again we do not recommend to do so as we might be removing those in future.
- https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.