Default admin_token usable on Keystone

Bug #1582893 reported by Sheena Conant on 2016-05-17
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
High
Matthew Mosesohn
6.1.x
High
Matthew Mosesohn
7.0.x
High
Alexey Stupnikov
8.0.x
High
Alexey Stupnikov
Mitaka
High
Matthew Mosesohn

Bug Description

The default admin_token is used to perform administrative tasks on Keystone such as creating users. This Token gives administrative access to anyone without authentication and lasts indefinitely until disabled in configuration files.

Per mattymo: We should disable it like we do on deployed OpenStack nodes. It is not used by any services. This is a quick fix we can quickly make.

tags: added: customer-found feature-security
Dmitry Klenov (dklenov) on 2016-05-18
Changed in fuel:
milestone: none → 10.0
assignee: nobody → MOS Keystone (mos-keystone)
importance: Undecided → Medium
status: New → Confirmed
tags: added: area-mos
Changed in fuel:
assignee: MOS Keystone (mos-keystone) → Matthew Mosesohn (raytrac3r)

Fix proposed to branch: master
Review: https://review.openstack.org/318582

Changed in fuel:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/318582
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=48f880e9572c63ed9d1e02ce1cf6f2c992dc82ac
Submitter: Jenkins
Branch: master

commit 48f880e9572c63ed9d1e02ce1cf6f2c992dc82ac
Author: Matthew Mosesohn <email address hidden>
Date: Thu May 19 14:26:53 2016 +0300

    Add service_token_off to keystone hash

    Adding service_token_off to astute.yaml lets us reuse
    a fuel-library single class to disable the keystone
    service token.

    Change-Id: Ia22163d572a581f2f159396346fbb83cbe7bee94
    Partial-Bug: #1582893

Reviewed: https://review.openstack.org/319895
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=4d886766206835f803844e8469d0ef2ed074b81d
Submitter: Jenkins
Branch: master

commit 4d886766206835f803844e8469d0ef2ed074b81d
Author: Matthew Mosesohn <email address hidden>
Date: Mon May 23 15:05:47 2016 +0300

    Add service_token_off to keystone hash

    Adding service_token_off to astute.yaml lets us reuse a
    fuel-library single class to disable the keystone service
    token.

    Change-Id: Idb7694b19792a6c43c2752867da7c34b995513d0
    Partial-Bug: #1582893

Dmitry Pyzhov (dpyzhov) wrote :

This is a potential security issue. Raising to High priority

Changed in fuel:
importance: Medium → High
information type: Public → Public Security
Changed in fuel:
assignee: Matthew Mosesohn (raytrac3r) → Dmitry Ilyin (idv1985)
Changed in fuel:
assignee: Dmitry Ilyin (idv1985) → Matthew Mosesohn (raytrac3r)
tags: added: security-aic
Matthew Mosesohn (raytrac3r) wrote :

This is nearly done for master. I'll get mitaka backports landed by Friday June 3

Dmitry Pyzhov (dpyzhov) on 2016-06-01
tags: added: area-library

Reviewed: https://review.openstack.org/318589
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=4c884a0b566b598f84aea864b41302d4c3c4377e
Submitter: Jenkins
Branch: master

commit 4c884a0b566b598f84aea864b41302d4c3c4377e
Author: Matthew Mosesohn <email address hidden>
Date: Thu May 19 14:36:14 2016 +0300

    Delete service_token from keystone on Fuel Master

    Deletes keystone service token after deploying keystone
    to minimize security risk.

    Change-Id: I776644f727ce086369954f383a09b48b60bf11a5
    Depends-On: Idb7694b19792a6c43c2752867da7c34b995513d0
    Closes-Bug: #1582893

Changed in fuel:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/325355
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=1a6c62256e2956f944db3be315a9341977f0f90e
Submitter: Jenkins
Branch: stable/mitaka

commit 1a6c62256e2956f944db3be315a9341977f0f90e
Author: Matthew Mosesohn <email address hidden>
Date: Mon May 23 15:05:47 2016 +0300

    Add service_token_off to keystone hash

    Adding service_token_off to astute.yaml lets us reuse a
    fuel-library single class to disable the keystone service
    token.

    Change-Id: Idb7694b19792a6c43c2752867da7c34b995513d0
    Partial-Bug: #1582893
    (cherry picked from commit 4d886766206835f803844e8469d0ef2ed074b81d)

tags: added: in-stable-mitaka

Reviewed: https://review.openstack.org/325301
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=eaa1d8dbe90c92c9c32d7592cdaccbe036a721fb
Submitter: Jenkins
Branch: stable/mitaka

commit eaa1d8dbe90c92c9c32d7592cdaccbe036a721fb
Author: Matthew Mosesohn <email address hidden>
Date: Thu May 19 14:36:14 2016 +0300

    Delete service_token from keystone on Fuel Master

    Deletes keystone service token after deploying keystone
    to minimize security risk.

    Change-Id: I776644f727ce086369954f383a09b48b60bf11a5
    Depends-On: Idb7694b19792a6c43c2752867da7c34b995513d0
    Closes-Bug: #1582893
    (cherry picked from commit 4c884a0b566b598f84aea864b41302d4c3c4377e)

Reviewed: https://review.openstack.org/325809
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=818007fb41b9503e658f84d7f6b7b7a126be9b59
Submitter: Jenkins
Branch: stable/6.1

commit 818007fb41b9503e658f84d7f6b7b7a126be9b59
Author: Matthew Mosesohn <email address hidden>
Date: Mon Jun 6 13:01:51 2016 +0300

    Delete service_token from keystone on Fuel Master

    Deletes keystone service token after deploying keystone to
    minimize security risk.

    Adapted from Change-ID I776644f727ce086369954f383a09b48b60bf11a5

    Change-Id: Ie08121bdc3cdaa682201831f1253edd0b2659261
    Closes-Bug: #1582893

tags: added: on-verification

Verified on 9.0-mos #450

[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" "http://localhost:5000/v2.0/tenants"
...
< HTTP/1.1 401 Unauthorized
...
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $VALID_TOKEN" "http://localhost:5000/v2.0/tenants"
...
< HTTP/1.1 200 OK
< Server: nginx
...

[root@nailgun ~]# shotgun2 short-report
cat /etc/fuel_build_id:
 450
cat /etc/fuel_build_number:
 450
cat /etc/fuel_release:
 9.0
cat /etc/fuel_openstack_version:
 mitaka-9.0
rpm -qa | egrep 'fuel|astute|network-checker|nailgun|packetary|shotgun':
 fuel-release-9.0.0-1.mos6347.noarch
 fuel-provisioning-scripts-9.0.0-1.mos8723.noarch
 python-packetary-9.0.0-1.mos140.noarch
 fuel-bootstrap-cli-9.0.0-1.mos285.noarch
 fuel-migrate-9.0.0-1.mos8435.noarch
 rubygem-astute-9.0.0-1.mos748.noarch
 fuel-mirror-9.0.0-1.mos140.noarch
 shotgun-9.0.0-1.mos90.noarch
 fuel-openstack-metadata-9.0.0-1.mos8723.noarch
 fuel-notify-9.0.0-1.mos8435.noarch
 nailgun-mcagents-9.0.0-1.mos748.noarch
 python-fuelclient-9.0.0-1.mos323.noarch
 fuel-9.0.0-1.mos6347.noarch
 fuel-utils-9.0.0-1.mos8435.noarch
 fuel-setup-9.0.0-1.mos6347.noarch
 fuel-misc-9.0.0-1.mos8435.noarch
 fuel-library9.0-9.0.0-1.mos8435.noarch
 network-checker-9.0.0-1.mos74.x86_64
 fuel-agent-9.0.0-1.mos285.noarch
 fuel-ui-9.0.0-1.mos2715.noarch
 fuel-ostf-9.0.0-1.mos935.noarch
 fuelmenu-9.0.0-1.mos272.noarch
 fuel-nailgun-9.0.0-1.mos8723.noarch

tags: removed: on-verification
information type: Public Security → Private Security
Matthew Mosesohn (raytrac3r) wrote :

9.0 save only wasn't refactored in Fuelmenu. It needs another patch to add keystone/service_token_off to /etc/fuel/astute.yaml during --save-only mode.

Matthew Mosesohn (raytrac3r) wrote :

Verification steps:
1 - ensure /etc/fuel/astute.yaml doesn't contain service_token_off: "true"
2 - run fuelmenu --save-only
3 - ensure /etc/fuel/astute.yaml contains service_token_off: "true"
4 - remove service_token_off: "true" from /etc/fuel/astute.yaml
5 - run fuelmenu interactively and save and quit
6 - ensure /etc/fuel/astute.yaml contains service_token_off: "true"

tags: added: on-verification
tags: removed: on-verification
Oleksiy Molchanov (omolchanov) wrote :

Marked as Released, because of it was verified by Andrey.

Alexey Stupnikov (astupnikov) wrote :

OK, everything was reviewed. We have to wait until 7.0-MU4 will be released to merge everything.

tags: added: on-verification
Ekaterina Shutova (eshutova) wrote :

Verified on MOS 8.0 + mu2 updates.

Before:
[root@nailgun ~]# curl -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
{"tenants_links": [], "tenants": [{"description": "", "enabled": true, "id": "41ea0c3df4354c2f8a5aad8ecf071d9d", "name": "admin"}, {"description": "fuel services tenant", "enabled": true, "id": "23785dc92cb4494da98040e803540255", "name": "services"}]}
With fix:
[root@nailgun ~]# curl -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

tags: removed: on-verification
tags: added: on-verification
information type: Private Security → Public Security
Ekaterina Shutova (eshutova) wrote :

Verified on MOS 6.1 + mu7 updates.

Before:
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
...
< HTTP/1.1 200 OK
After:
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
...
< HTTP/1.1 401 Unauthorized

tags: removed: on-verification
tags: added: on-verification
Ekaterina Shutova (eshutova) wrote :

Verified on MOS 7.0 + mu5 updates.

Before:
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
...
< HTTP/1.1 200 OK
After:
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
* About to connect() to localhost port 35357 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 35357 (#0)
> GET /v2.0/tenants HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:35357
> Accept: */*
> X-Auth-Token: Eoa5rGcW
>
< HTTP/1.1 401 Unauthorized
< Www-Authenticate: Keystone uri="http://localhost:35357"
< Vary: X-Auth-Token
< Content-Type: application/json
< Content-Length: 114
< Date: Wed, 10 Aug 2016 13:18:25 GMT
<
* Connection #0 to host localhost left intact
* Closing connection #0
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}[root@nailgun ~]# VALID_TOername": "admin", "password": "admin"}}}' http://localhost:5000/v2.0/tokens | python -c 'import sys, json; print(json.load(sys.stdin)["access"]["token"]["id"])')

tags: removed: on-verification
tags: added: on-verification
Ekaterina Shutova (eshutova) wrote :

Verified on 10.0 #1543.
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
* About to connect() to localhost port 35357 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 35357 (#0)
> GET /v2.0/tenants HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:35357
> Accept: */*
> X-Auth-Token: EbwQCDQ5r5xP6oPtqZBijqDr
>
< HTTP/1.1 401 Unauthorized
< Date: Thu, 06 Apr 2017 12:58:03 GMT
< Server: Apache/2.4.6 (CentOS)
< Vary: X-Auth-Token
< x-openstack-request-id: req-83ba9a7b-b199-49b6-ac83-ab828516a806
< WWW-Authenticate: Keystone uri="http://localhost:35357"
< Content-Length: 114
< Connection: close
< Content-Type: application/json
<
* Closing connection 0
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}[root@nailgun ~]#

tags: removed: on-verification
Changed in fuel:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers