glance v2 api: standard user can update other user's public metadefs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Opinion
|
Undecided
|
Unassigned |
Bug Description
If project 'd12bddf60e4649
$ openstack token issue
+-----
| Field | Value |
+-----
| expires | 2016-02-
| id | 7b8b9c6347f54d4
| project_id | d12bddf60e4649b
| user_id | e543889c522c460
+-----
$ glance md-namespace-show NS1001
+-----
| Property | Value |
+-----
| created_at | 2016-02-
| namespace | NS1001 |
| objects | ["ob1"] |
| owner | d12bddf60e4649b
| protected | False |
| schema | /v2/schemas/
| updated_at | 2016-02-
| visibility | public |
+-----
Another project can update that namespace (eg with a new object):
$ openstack token issue
+-----
| Field | Value |
+-----
| expires | 2016-02-
| id | 0df5acec2b884f3
| project_id | c4f1b829b3af477
| user_id | 10f27b7f965a47f
+-----
$ glance md-object-create --name objectx --schema {} NS1001
+-----
| Property | Value |
+-----
| created_at | 2016-02-
| name | objectx |
| schema | /v2/schemas/
| updated_at | 2016-02-
+-----
This seems to also be possible if the namespace is owned by 'admin':
<as regular user, add an object to an admin owned namespace>
$ glance md-object-create --name objectx --schema {} OS::Compute:
+-----
| Property | Value |
+-----
| created_at | 2016-02-
| name | objectx |
| schema | /v2/schemas/
| updated_at | 2016-02-
+-----
$ glance md-namespace-show OS::Compute:
+-----
| Property | Value |
+-----
| created_at | 2016-02-
| description | This provides the preferred backing option for guest RAM. Guest's memory can be |
| | backed by hugepages to limit TLB lookups. See also: |
| | https:/
| display_name | Guest Memory Backing |
| namespace | OS::Compute:
| objects | ["objectx"] |
| owner | admin |
| properties | ["mem_page_size"] |
| protected | True |
| resource_
| schema | /v2/schemas/
| visibility | public |
+-----
<as regular user, add a property to an admin owned namespace>
$ glance md-property-create --name propx --title title1 --schema '{"description": "x", "type":"string"}' OS::Compute:
+-----
| Property | Value |
+-----
| description | x |
| name | propx |
| title | title1 |
| type | string |
+-----
In contrast, updating a private namespace is forbidden:
$ glance md-object-create --name objectx --schema {} NS1003
403 Forbidden: Forbidding request, metadata definition namespace=NS1003 is not visible. (HTTP 403)
I'm assuming that public namespaces are intended to be public in a read-only sense (like images).
information type: | Public → Private Security |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.