All operations are perfomed with admin priveleges when 'use_user_token' is False
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Mike Fedosin | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
In glance-api.conf we have a param called 'use_user_token' which is enabled by default. It was introduced to allow for reauthentication when tokens expire and prevents requests from silently failing. https:/
Unfortunately disabling this parameter leads to security issues and allows a regular user to perform any operation with admin rights.
Steps to reproduce on devstack:
1. Change /etc/glance/
# Pass the user's token through for API requests to the registry.
# Default: True
use_user_token = False
# If 'use_user_token' is not in effect then admin credentials
# can be specified. Requests to the registry on behalf of
# the API will use these credentials.
# Admin user name
admin_user = glance
# Admin password
admin_password = nova
# Admin tenant name
admin_tenant_name = service
# Keystone endpoint
auth_url = http://
(for v2 api it's required to enable registry service, too: data_api = glance.
2. Create a private image with admin user:
source openrc admin admin
glance --os-image-
+------
| Property | Value |
+------
| checksum | e533283e6aac072
| container_format | bare |
| created_at | 2015-09-
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | e0d0bf2f-
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4df
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-
| virtual_size | None |
+------
3. Check the image list with admin user:
glance --os-image-
+------
| ID | Name | Disk Format | Container Format | Size | Status |
+------
| 4a1703e7-
| c513f951-
| de99e4b9-
| e0d0bf2f-
+------
4. Enable demo user and get the image list:
source openrc demo demo
glance --os-image-
+------
| ID | Name | Disk Format | Container Format | Size | Status |
+------
| 4a1703e7-
| c513f951-
| de99e4b9-
| e0d0bf2f-
+------
5. Try to get access to admin's private image with demo user:
glance --os-image-
+------
| Property | Value |
+------
| checksum | e533283e6aac072
| container_format | bare |
| created_at | 2015-09-
| deleted | False |
| disk_format | qcow2 |
| id | e0d0bf2f-
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4df
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-
+------
The same happens when demo user wants to create/
Changed in glance: | |
importance: | Undecided → Critical |
assignee: | nobody → Mike Fedosin (mfedosin) |
milestone: | none → liberty-rc1 |
status: | New → Triaged |
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.