Designate GET and POST /v1/domains has auth issue

Bug #1460187 reported by Kim Jensen on 2015-05-29
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Designate
Critical
Endre Karlson
Kilo
Critical
Kiall Mac Innes
designate (Ubuntu)
Undecided
Unassigned

Bug Description

Users with an unscoped project token are authorized to list and create designate domains. Based on the policy file, this shoudl not be allowed.

If a user gets a token that is not scoped to a project, that user is able to list and create designate domains.
I would expect that only token scoped to a tenant with the required role should be authorized to successfully make the create and get domain calls.

For example:
POST https://KEYSTONE_ENDPOINT:35357/v2.0/tokens HTTP/1.1
Connection: close
Content-Type: application/json
Content-Length: 150

{
   "auth":{
      "passwordCredentials":{
         "username":"testUserName",
         "password":"password"
      }
   }
}

Response:
{"access": {
   "token": {
      "issued_at": "2015-05-29T19:12:41.885602",
      "expires": "2015-05-29T21:12:41Z",
      "id": "a2ce8e93ac6b43d0b0e84fd07863a8b9",
      "audit_ids": ["zus4wLUbSK6mjF6cTe_R9Q"]
   },
...

Create domain

POST https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9
Content-Type: application/json
Content-Length: 85

{
  "name": "test-tc21abc.org.",
  "ttl": 3600,
  "email": "<email address hidden>"
}

Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 248
Location: http://DESIGNATE_ENDPOINT:9001/v1/domains/6e1f4190-9901-488b-a9f4-489bf1030067
X-Openstack-Request-Id: req-22ee36ba-f5db-4c9f-b26c-732a39bdca85
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close

{
  "created_at": "2015-05-29T19:12:43.000000",
  "description": null,
  "email": "<email address hidden>",
  "id": "6e1f4190-9901-488b-a9f4-489bf1030067",
  "name": "test-tc21abc.org.",
  "serial": 1432926762,
  "ttl": 3600,
  "updated_at": null
}

Get domains

GET https://DESIGNATE_ENDPOINT:9001/v1/domains HTTP/1.1
Connection: close
X-Auth-Token: a2ce8e93ac6b43d0b0e84fd07863a8b9

Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 311
X-Openstack-Request-Id: req-0f8cea71-05d0-43f1-954d-c2d6d014900c
Date: Fri, 29 May 2015 19:12:43 GMT
Connection: close

{
  "domains": [
    {
      "created_at": "2015-05-29T19:12:43.000000",
      "description": null,
      "email": "<email address hidden>",
      "id": "6e1f4190-9901-488b-a9f4-489bf1030067",
      "name": "test-tc21abc.org.",
      "serial": 1432926762,
      "ttl": 3600,
      "updated_at": null
    }
  ]
}

Kiall Mac Innes (kiall) on 2015-05-30
Changed in designate:
milestone: none → liberty-1
importance: Undecided → Critical
Kim Jensen (kim-jensen2) on 2015-06-01
description: updated
Kiall Mac Innes (kiall) on 2015-06-02
information type: Public → Public Security

Fix proposed to branch: master
Review: https://review.openstack.org/187570

Changed in designate:
assignee: nobody → Endre Karlson (endre-karlson)
status: New → In Progress

Reviewed: https://review.openstack.org/187570
Committed: https://git.openstack.org/cgit/openstack/designate/commit/?id=ae235cba3c5bda5d1da6816135400107660a2794
Submitter: Jenkins
Branch: master

commit ae235cba3c5bda5d1da6816135400107660a2794
Author: Endre Karlson <email address hidden>
Date: Tue Jun 2 14:56:41 2015 +0200

    Enforce usage of project scoped token

    In order for functionality to remain intact (ie disallow people to create / do
    actions in designate that ends up with a "None" tenant_id as the owner in the
    db) we need to enforce the use of a project scoped token for now.

    Closes-Bug: #1460187

    Change-Id: I8a64fe4938b3b9b0ade9fe210e4da0d19ad1c23f

Changed in designate:
status: In Progress → Fix Committed
Kiall Mac Innes (kiall) on 2015-06-07
Changed in designate (Ubuntu):
status: New → Confirmed

Reviewed: https://review.openstack.org/189095
Committed: https://git.openstack.org/cgit/openstack/designate/commit/?id=5cac3a602f93152e4a4411c9a3362d8f5051fc75
Submitter: Jenkins
Branch: stable/kilo

commit 5cac3a602f93152e4a4411c9a3362d8f5051fc75
Author: Endre Karlson <email address hidden>
Date: Tue Jun 2 14:56:41 2015 +0200

    Enforce usage of project scoped token

    In order for functionality to remain intact (ie disallow people to create / do
    actions in designate that ends up with a "None" tenant_id as the owner in the
    db) we need to enforce the use of a project scoped token for now.

    Closes-Bug: #1460187

    Change-Id: I8a64fe4938b3b9b0ade9fe210e4da0d19ad1c23f
    (cherry picked from commit ae235cba3c5bda5d1da6816135400107660a2794)

Thierry Carrez (ttx) on 2015-06-24
Changed in designate:
status: Fix Committed → Fix Released
James Page (james-page) on 2015-10-02
Changed in designate (Ubuntu):
status: Confirmed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in designate:
milestone: liberty-1 → 1.0.0
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers