Glance

Project admin gets treated as Global Admin with Secure RBAC

Series wallaby
Bug #1933269

Bug #1933269 reported by Erno Kuvaja on 2021-06-22

This bug affects 1 person

	Status	Importance	Assigned to
Glance	New	Critical	Unassigned
Wallaby	New	Undecided	Unassigned
Xena	New	Undecided	Unassigned
OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.

Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.

stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test

+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | ed7b2d168e444122b9700701834e8d97 |
| is_domain | False |
| name | privilege-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
NOTE THE PROJECT ID.

stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email <email address hidden> --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest

+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | ed7b2d168e444122b9700701834e8d97 |
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | eb0d6ce9c6bc42ee8962ad97849b38f7 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+

stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin

stack@ubnt-devstack:~/devstack$ openstack role assignment list --names

stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3

NOTE: Using the privtest:privilege-test user and project.

The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.

Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.

This behaviour is not just limited to Secure RBAC but carried over to it and more likely used.

See original description

Tags:

Erno Kuvaja (jokke) on 2021-06-22

description:

updated

Erno Kuvaja (jokke) on 2021-06-22

description:

updated

Revision history for this message

Jeremy Stanley (fungi) wrote on 2021-06-22:

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description:	updated
Changed in ossa:
status:	New → Incomplete

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2021-06-23 (last edit on 2021-06-23):

This is what we decided while implementing project persona during wallaby that the project-admin persona is still reserved for administrative APIs access for system administrators/operators. This will remain the case until we can refactor portions of glance to make it easier to implement system-scope.

https://review.opendev.org/c/openstack/glance/+/764754

Secure RBAC work is still experimented in Glance. So should we treat this bug as security?
https://github.com/openstack/glance/blob/master/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml

Just for reference;

https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/25/glance_tempest_plugin/tests/rbac/v2/test_images.py#576

These are effectively what we currently consider to be "admin" today, which is "can do anything." These are testing those assumptions today, which before RBAC changes, are true. The FIXME comments in these tests describe what will need to change when this class is actually scoped to just admin-of-a-project. In effect, the SystemAdminTests above (currently disabled) will validate the actual can-do-anything admin after that is enabled, when these change to just assert what we expect a project admin to do.

Revision history for this message

Erno Kuvaja (jokke) wrote on 2021-06-23:

So first of all this behaviour is not just when Secure RBAC is enabled, project scoping just did not change the situation as it should have.

If Project (Tenant) X has admin account expected to be scoped as _Secure_ RBAC defines it and that project scoped admin in fact has admin privileges across all tenants, is able to access and modify all images in the system, yeah it is a security issue. Makes me even more worried if it was deliberately made so, yet not documented. I did not test this but I'm assuming it behaves the same way across domains as well.

This makes multitenancy interoperability impossible with any APIs that actually expects projects having properly scoped roles and needs admin accounts.

Unlike the rest of the Secure RBAC work this also needs to be addressed only in one place https://opendev.org/openstack/glance/src/branch/master/glance/api/policy.py#L99-L106 to be effective.

Revision history for this message

Gage Hugo (gagehugo) wrote on 2021-06-23:

I believe this is related to https://bugs.launchpad.net/keystone/+bug/968696 which has been worked on over many years now across most openstack projects.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2021-07-02:

Similar bug 1933332 for Cinder has been made public. Is there any reason to continue keeping this one for Glance under wraps?

Revision history for this message

Gage Hugo (gagehugo) wrote on 2021-07-04:

I don't believe so, since this is similar to the other opened ones in other projects and is still being worked on.

information type:

Private Security → Public Security

Jeremy Stanley (fungi) on 2021-07-09

description:

updated

Revision history for this message

Jeremy Stanley (fungi) wrote on 2021-08-05:

After discussing, the Vulnerability Management Team members have concluded that the in-progress but incomplete RBAC implementation in various projects does not rise to the level of requiring a published security advisory, particularly as this work is likely to take place primarily in development branches and not be backported to supported stable branches. Some clearer documentation on behalf of the implementing projects is likely warranted in order to warn users of the caveats and potential pitfalls of relying on RBAC in its current state, but that's separate from whether or not we publish advisories about any fixes which may merge to complete the implementation.

Changed in ossa:
status:	Incomplete → Won't Fix
tags:	added: security
information type:	Public Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.