Admin rights shouldn't work cross-tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Confirmed
|
Wishlist
|
Unassigned | ||
OpenStack Identity (keystone) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Consider user A is an `admin` in Y tenant and has no roles in Z tenant. Let G image be an image from Z tenant.
User A gets a token for Y tenant and sends a request: "delete G image". Currently, glance allows such malicious action.
That's because glance/
The problem exists in this branch:
commit fc758a46e77de17
Author: Dan Prince <email address hidden>
Date: Thu Jun 7 22:23:48 2012 -0400
The same security hole is found in Keystone: an `admin` user is allowed to do anything, e.g. remove users and their roles for any tenant.
Changed in glance: | |
status: | New → Incomplete |
Changed in keystone: | |
status: | Confirmed → Incomplete |
summary: |
- Admin rights escalate to other tenants (was: glance allows to delete - arbitrary images) + Admin rights shouldn't work cross-tenant |
security vulnerability: | yes → no |
visibility: | private → public |
Changed in glance: | |
importance: | Undecided → Wishlist |
status: | Incomplete → Confirmed |
Changed in keystone: | |
status: | Incomplete → Confirmed |
importance: | High → Wishlist |
tags: | added: security |
Adding PTL for input. I /think/ this is by design though... admins are not scoped to tenants ?