Domain admin can see all domains and projects with openstack client
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Environment
Deployed using Kolla-ansible version 7.0.0.0b2 in VMs on ESXi 5.5 (same problem occurs on Queens release)
3 controllers and various other VMs for other roles (22 in total)
Parameters:
Default policy.json configuration - no override files, such as policy.
Commands run:
(export variables set for admin user)
domain create TestDomain
project create --domain TestDomain TestDomainProject
user create --domain TestDomain --password test TestDomainAdmin
role add --project-domain TestDomain --project TestDomainProject --user TestDomainAdmin admin
(export variables set to TestDomainAdmin user's domain and project - openstack client run again)
(openstack) domain list
+------
| ID | Name | Enabled | Description |
+------
| 7a44fa16d42443c
| c4ce448b93a949b
| default | Default | True | The default domain |
| e082d7aefb31404
+------
(openstack) project list
+------
| ID | Name |
+------
| 371b28700a06462
| 3a526ae9a3874ab
| 5abb3ac26dae4d2
+------
Issue:
Horizon interface properly shows only the TestDomainProject project and no Domains tab, which is correct. The API that the openstack client uses is returning root-level information as shown above, such as other domain's projects as well as every domain.
Am I missing something, or is this a bug?
Thanks!
Eric
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.