OpenStack Identity (keystone)

Bug #1287219
Comment #14

Comment 14 for bug 1287219

Revision history for this message

Henry Nash (henry-nash) wrote on 2014-03-24: Re: [Bug 1287219] Re: scope of domain admin too broad in v3 policy sample

#14

HI Thierry

I think that actually did fix this, with the patch I submitted.

Henry
On 24 Mar 2014, at 15:25, Thierry Carrez <email address hidden> wrote:

> ** Changed in: ossa
> Status: Incomplete => Won't Fix
>
> --
> You received this bug notification because you are a bug assignee.
> Matching subscriptions: Keystone-Bugs
> https://bugs.launchpad.net/bugs/1287219
>
> Title:
> scope of domain admin too broad in v3 policy sample
>
> Status in OpenStack Identity (Keystone):
> Fix Committed
> Status in OpenStack Security Advisories:
> Won't Fix
> Status in OpenStack Security Notes:
> New
>
> Bug description:
> Using the policies in the new default policy.v3cloudsample.json file,
> a domain admin can easily elevate himself and become the cloud admin:
>
> 1) Get a token of a domain admin (a user with 'admin' role on any domain other that the default domain which is the cloud admin's domain)
> 2) Grant yourself the admin role on the default domain which is the domain of the cloud admin (PUT /v3/domains/default/user/<your_id_here>/roles/<admin_role_id>
> 3) Change your domain_id to the id of the default domain (PATCH /v3/users/<your_id_here> -d '"{user": {"domain_id": "default"}}'
> 4) Get a new token scoped to the default domain
>
> ==> You are now the cloud admin
>
> It is expected that step number 2 should fail. Admins should be able
> to grant roles only on their domain and their projects, not on other
> projects. Otherwise, it is as if they are not really scoped at all.
>
> NOTE: I am using the default policy.v3cloudsample.json file as is, unchanged. I only defined the domain of the cloud admins to be the default domain by editing this rule:
> "cloud_admin": "rule:admin_required and domain_id:default",
>
> I think that the default policy file should be changed to prevent
> administrators' ability to grant roles on objects of foreign domains
> (with the exception of admins in the domain defined by the cloud_admin
> rule, of course).
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1287219/+subscriptions
>

HI Thierry

I think that actually did fix this, with the patch I submitted.

Henry
On 24 Mar 2014, at 15:25, Thierry Carrez <thierry.carrez+lp@gmail.com> wrote:

> ** Changed in: ossa
>       Status: Incomplete => Won't Fix
> 
> -- 
> You received this bug notification because you are a bug assignee.
> Matching subscriptions: Keystone-Bugs
> https://bugs.launchpad.net/bugs/1287219
> 
> Title:
>  scope of domain admin too broad in v3 policy sample
> 
> Status in OpenStack Identity (Keystone):
>  Fix Committed
> Status in OpenStack Security Advisories:
>  Won't Fix
> Status in OpenStack Security Notes:
>  New
> 
> Bug description:
>  Using the policies in the new default policy.v3cloudsample.json file,
>  a domain admin can easily elevate himself and become the cloud admin:
> 
>  1) Get a token of a domain admin (a user with 'admin' role on any domain other that the default domain which is the cloud admin's domain)
>  2) Grant yourself the admin role on the default domain which is the domain of the cloud admin (PUT /v3/domains/default/user/<your_id_here>/roles/<admin_role_id>
>  3) Change your domain_id to the id of the default domain (PATCH /v3/users/<your_id_here> -d '"{user": {"domain_id": "default"}}'
>  4) Get a new token scoped to the default domain
> 
>  ==> You are now the cloud admin
> 
>  It is expected that step number 2 should fail. Admins should be able
>  to grant roles only on their domain and their projects, not on other
>  projects. Otherwise, it is as if they are not really scoped at all.
> 
>  NOTE: I am using the default policy.v3cloudsample.json file as is, unchanged. I only defined the domain of the cloud admins to be the default domain by editing this rule:
>      "cloud_admin": "rule:admin_required and domain_id:default",
> 
>  I think that the default policy file should be changed to prevent
>  administrators' ability to grant roles on objects of foreign domains
>  (with the exception of admins in the domain defined by the cloud_admin
>  rule, of course).
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1287219/+subscriptions
>