| 2017-04-19 23:38:25 |
Mohammed Naser |
bug |
|
|
added bug |
| 2017-04-19 23:53:51 |
Jeremy Stanley |
description |
Keystone has a sample policy file to create a concept of domains per customer, with a domain admin that manages users and tenants inside that domain.
https://github.com/openstack/keystone/commits/master/etc/policy.v3cloudsample.json
In this policy, the domain admin role (a user who manages that domain) would get the "admin" role assigned to them. However, with the "admin" role assigned to them, they can make requests to the admin_api (in this case, the Nova example).
https://github.com/openstack/nova/blob/master/nova/policies/base.py#L18-L28
I have done a fair bit of checking but I believe that a domain admin can get full access to the admin_api (or be able to create a user with an "admin" role and get access to the entire cloud). I believe this affects all other projects and users of this policy would not be aware at the level of access given to a domain admin.
Perhaps the file can be revised to use a role like "domain_admin" and Keystone would have a setting of "reserved role names" which cannot be used (e.g. block the role "admin" from being created in a domain).
Please forgive me in advance if this is not a security issue and a lack of understanding (I hope it is), but I have done a fair amount of research on this so far and it seems like getting access to that `admin` role is an issue. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Keystone has a sample policy file to create a concept of domains per customer, with a domain admin that manages users and tenants inside that domain.
https://github.com/openstack/keystone/commits/master/etc/policy.v3cloudsample.json
In this policy, the domain admin role (a user who manages that domain) would get the "admin" role assigned to them. However, with the "admin" role assigned to them, they can make requests to the admin_api (in this case, the Nova example).
https://github.com/openstack/nova/blob/master/nova/policies/base.py#L18-L28
I have done a fair bit of checking but I believe that a domain admin can get full access to the admin_api (or be able to create a user with an "admin" role and get access to the entire cloud). I believe this affects all other projects and users of this policy would not be aware at the level of access given to a domain admin.
Perhaps the file can be revised to use a role like "domain_admin" and Keystone would have a setting of "reserved role names" which cannot be used (e.g. block the role "admin" from being created in a domain).
Please forgive me in advance if this is not a security issue and a lack of understanding (I hope it is), but I have done a fair amount of research on this so far and it seems like getting access to that `admin` role is an issue. |
|
| 2017-04-19 23:54:02 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2017-04-19 23:54:21 |
Jeremy Stanley |
bug |
|
|
added subscriber Keystone Core security contacts |
| 2017-04-19 23:54:26 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2017-08-09 22:25:40 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Keystone has a sample policy file to create a concept of domains per customer, with a domain admin that manages users and tenants inside that domain.
https://github.com/openstack/keystone/commits/master/etc/policy.v3cloudsample.json
In this policy, the domain admin role (a user who manages that domain) would get the "admin" role assigned to them. However, with the "admin" role assigned to them, they can make requests to the admin_api (in this case, the Nova example).
https://github.com/openstack/nova/blob/master/nova/policies/base.py#L18-L28
I have done a fair bit of checking but I believe that a domain admin can get full access to the admin_api (or be able to create a user with an "admin" role and get access to the entire cloud). I believe this affects all other projects and users of this policy would not be aware at the level of access given to a domain admin.
Perhaps the file can be revised to use a role like "domain_admin" and Keystone would have a setting of "reserved role names" which cannot be used (e.g. block the role "admin" from being created in a domain).
Please forgive me in advance if this is not a security issue and a lack of understanding (I hope it is), but I have done a fair amount of research on this so far and it seems like getting access to that `admin` role is an issue. |
Keystone has a sample policy file to create a concept of domains per customer, with a domain admin that manages users and tenants inside that domain.
https://github.com/openstack/keystone/commits/master/etc/policy.v3cloudsample.json
In this policy, the domain admin role (a user who manages that domain) would get the "admin" role assigned to them. However, with the "admin" role assigned to them, they can make requests to the admin_api (in this case, the Nova example).
https://github.com/openstack/nova/blob/master/nova/policies/base.py#L18-L28
I have done a fair bit of checking but I believe that a domain admin can get full access to the admin_api (or be able to create a user with an "admin" role and get access to the entire cloud). I believe this affects all other projects and users of this policy would not be aware at the level of access given to a domain admin.
Perhaps the file can be revised to use a role like "domain_admin" and Keystone would have a setting of "reserved role names" which cannot be used (e.g. block the role "admin" from being created in a domain).
Please forgive me in advance if this is not a security issue and a lack of understanding (I hope it is), but I have done a fair amount of research on this so far and it seems like getting access to that `admin` role is an issue. |
|
| 2017-08-09 22:25:46 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
| 2017-08-09 22:25:54 |
Jeremy Stanley |
information type |
Public |
Public Security |
|
| 2017-08-16 15:44:58 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
| 2017-08-16 15:45:14 |
Jeremy Stanley |
information type |
Public Security |
Public |
|
| 2017-08-16 15:45:36 |
Jeremy Stanley |
tags |
|
security |
|
| 2018-01-08 22:16:00 |
Lance Bragstad |
marked as duplicate |
|
968696 |
|
