OpenStack Identity (keystone)

Able to request a V2 token for user and project in a non-default domain

Bug #1483382 reported by Guang Yee
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Dolph Mathews
OpenStack Identity (keystone) 8.0.0 "liberty"
Kilo
Fix Released
High
Dolph Mathews
OpenStack Identity (keystone) 2015.1.3
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs.

Steps to reproduce:

1) install devstack

2) run these commands

gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 domain list
+----------------------------------+---------+---------+----------------------------------------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+----------------------------------------------------------------------+
| 769ad7730e0c4498b628aa8dc00e831f | foo | True | |
| default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. |
+----------------------------------+---------+---------+----------------------------------------------------------------------+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 user list --domain 769ad7730e0c4498b628aa8dc00e831f
+----------------------------------+------+
| ID | Name |
+----------------------------------+------+
| cf0aa0b2d5db4d67a94d1df234c338e5 | bar |
+----------------------------------+------+
gyee@dev:~$ openstack --os-identity-api-version 3 --os-username admin --os-password secrete --os-user-domain-id default --os-project-name admin --os-project-domain-id default --os-auth-url http://localhost:5000 project list --domain 769ad7730e0c4498b628aa8dc00e831f
+----------------------------------+-------------+
| ID | Name |
+----------------------------------+-------------+
| 413abdbfef5544e2a5f3e8ac6124dd29 | foo-project |
+----------------------------------+-------------+
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"userId": "cf0aa0b2d5db4d67a94d1df234c338e5", "password": "secrete"}, "tenantId": "413abdbfef5544e2a5f3e8ac6124dd29"}}' -XPOST http://localhost:35357/v2.0/tokens | python -mjson.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
    "access": {
        "metadata": {
            "is_admin": 0,
            "roles": [
                "2b7f29ebd1c8453fb91e9cd7c2e1319b",
                "9fe2ff9ee4384b1894a90878d3e92bab"
            ]
        },
        "serviceCatalog": [
            {
                "endpoints": [
                    {
                        "adminURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",
                        "id": "3a92a79a21fb41379fa3e135be65eeff",
                        "internalURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",
                        "publicURL": "http://10.0.2.15:8774/v2/413abdbfef5544e2a5f3e8ac6124dd29",
                        "region": "RegionOne"
                    }
                ],
                "endpoints_links": [],
                "name": "nova",
                "type": "compute"
            },
            {
                "endpoints": [
                    {
                        "adminURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",
                        "id": "64338d9eb3054598bcee30443c678e2a",
                        "internalURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",
                        "publicURL": "http://10.0.2.15:8776/v2/413abdbfef5544e2a5f3e8ac6124dd29",
                        "region": "RegionOne"
                    }
                ],
                "endpoints_links": [],
                "name": "cinderv2",
                "type": "volumev2"
            },
            {
                "endpoints": [
                    {
                        "adminURL": "http://10.0.2.15:9292",
                        "id": "9216dc36806f492ead2fc58f88dfc50c",
                        "internalURL": "http://10.0.2.15:9292",
                        "publicURL": "http://10.0.2.15:9292",
                        "region": "RegionOne"
                    }
                ],
                "endpoints_links": [],
                "name": "glance",
                "type": "image"
            },
            {
                "endpoints": [
                    {
                        "adminURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",
                        "id": "8163d3afe8144cc0ad701d8065a80f12",
                        "internalURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",
                        "publicURL": "http://10.0.2.15:8776/v1/413abdbfef5544e2a5f3e8ac6124dd29",
                        "region": "RegionOne"
                    }
                ],
                "endpoints_links": [],
                "name": "cinder",
                "type": "volume"
            },
            {
                "endpoints": [
                    {
                        "adminURL": "http://10.0.2.15:8773/",
                        "id": "1ae28abbafa040ebaba1a5930cd23b96",
                        "internalURL": "http://10.0.2.15:8773/",
                        "publicURL": "http://10.0.2.15:8773/",
                        "region": "RegionOne"
                    }
                ],
                "endpoints_links": [],
                "name": "ec2",
                "type": "ec2"
            },
            {
                "endpoints": [
                    {
                        "adminURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",
                        "id": "359f261d83a04ab7a66c804760aed0bf",
                        "internalURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",
                        "publicURL": "http://10.0.2.15:8774/v2.1/413abdbfef5544e2a5f3e8ac6124dd29",
                        "region": "RegionOne"
                    }
                ],
                "endpoints_links": [],
                "name": "novav21",
                "type": "computev21"
            },
            {
                "endpoints": [
                    {
                        "adminURL": "http://10.0.2.15:35357/v2.0",
                        "id": "1ced0d5e8f7943f7b821340e2a4ac273",
                        "internalURL": "http://10.0.2.15:5000/v2.0",
                        "publicURL": "http://10.0.2.15:5000/v2.0",
                        "region": "RegionOne"
                    }
                ],
                "endpoints_links": [],
                "name": "keystone",
                "type": "identity"
            }
        ],
        "token": {
            "audit_ids": [
                "fSQJJ2EnSC2pgeAbiEP3Rw"
            ],
            "expires": "2015-08-10T20:03:46Z",
            "id": "d68f365a9bb143008bd70be89ee0791a",
            "issued_at": "2015-08-10T19:03:46.542447",
            "tenant": {
                "description": "",
                "enabled": true,
                "id": "413abdbfef5544e2a5f3e8ac6124dd29",
                "name": "foo-project"
            }
        },
        "user": {
            "id": "cf0aa0b2d5db4d67a94d1df234c338e5",
            "name": "bar",
            "roles": [
                {
                    "name": "admin"
                },
                {
                    "name": "_member_"
                }
            ],
            "roles_links": [],
            "username": "bar"
        }
    }
}

See original description
Guang Yee (guang-yee)
description: updated
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated
Revision history for this message
Guang Yee (guang-yee) wrote :

Looks like this patch will fix both token request and token validation problem with v2 tokens operating in the non-default domain.

https://review.openstack.org/#/c/208069/6

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Switching this bug to public since it's already referenced in the public review and also discussed in former bug 1475762

information type: Private Security → Public Security
Tristan Cacqueray (tristan-cacqueray)
description: updated
Revision history for this message
Dolph Mathews (dolph) wrote :

Fixed by https://review.openstack.org/#/c/208069/

Changed in keystone:
importance: Undecided → High
status: New → Fix Committed
assignee: nobody → Dolph Mathews (dolph)
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

So, is there a scenario where this bug can be used to gain access that wouldn't be allowed otherwise ?
It seems like even though the user can impersonate admin username, it still keeps his user id and authorizations.

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

It would potentially open a door for some abuse when interacting with the Keystone V2 API as the API assumes domain is always default domain. There are many checks to validate that across the code base, but without directly testing this scenario for every possible V2 API call (to see what can be exploited) it is difficult to know the scope. Maintaining the user_id, scope, and AuthZ of the original user should mitigate most possible gaps.

Most cases should be unaffected, but this is definitely a gap in the V2 API that it was not designed to handle.

It should have functionally no impact outside of the Keystone APIs as (you indicated) the user_id, scope, and authZ are maintained even though the token will be missing some details - almost no project outside of Keystone consumes domain and limits operations to the active scope (identified by project_id).

Doug Hellmann (doug-hellmann)
Changed in keystone:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Tristan Cacqueray (tristan-cacqueray)
Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/213216
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9dfad21201251364c6d205e8e79813bfe78e6107
Submitter: Jenkins
Branch: stable/kilo

commit 9dfad21201251364c6d205e8e79813bfe78e6107
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 31 20:31:54 2015 +0000

    Validate domain ownership for v2 tokens

    The v2 API is not domain aware, and so the default domain serves to
    provide an implicit domain scope for v2 API clients. If a v3 token with
    a user (or project scope) outside the default domain is validated by the
    v2 API, the user (or project) reference may result in a collision due to
    the namespacing provided by domains.

    This patch provides validation that the references being returned to the
    v2 API are in fact in the default domain, and thus cannot result in
    namespace collisions.

    Conflicts:

    - keystone/tests/unit/test_v3_auth.py: A readability refactor has landed
      in master. Those changes have not been backported to stable/kilo.

    Change-Id: Ia75c260485b2cff3cd6cf5cf39c0ec715b99df10
    Depends-On: Ia7ca08bca612b4555f6b4d9098cd7db6c540b1c4
    Closes-Bug: 1475762
    Closes-Bug: 1483382
    (cherry picked from commit c4723550aa95be403ff591dd132c9024549eff10)

Thierry Carrez (ttx)
Changed in keystone:
milestone: liberty-3 → 8.0.0
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.