OpenStack Identity (keystone)

v3/role_assignments filtering exposes unnecessary role assignments

Bug #1846817 reported by Lance Bragstad
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
In Progress
Medium
Vishakha Agarwal
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

I have a deployment that exercises multiple system role assignments:

 - An "operator" user has the "admin" role on the system
 - A "system-support" user has the "member" role on the system
 - A "system-admins" group has the "reader" role on the system

If I ask keystone to filter a list of role assignments by --system all and --role member, I should only see a list with the "system-support" user and the "operator" user. Instead, I get a list with three entries that includes the group, which doesn't have the member role at all, it only has reader.

Depending on how you classify this, it could leak information to clients. Groups don't appear to be filtered from the list since "reader" doesn't imply "member" (it's the other way around).

$ openstack role assignment list --names --system all --debug
START with options: role assignment list --names --system all --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='', auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
compute API version 2.1, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 3, cmd group openstack.volume.v3
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
key_manager API version 1, cmd group openstack.key_manager.v1
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
Using auth plugin: password
Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
Starting new HTTP connection (1): 10.0.3.122:80
http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.0.3.122/identity/v3/", "rel": "self"}]}]}}
GET call to http://10.0.3.122/identity used request id req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["JVQCRxBoTUyzm2CqiCoj6w"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, project=None, project_domain=None, quote_mode='nonnumeric', role=None, role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["U9Z3md9YTP-9-bTLuPDIzg"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}042443671367aa0183e15fd2692bf4c70d15050bdac46db883fd836440ae1065"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&include_names=True HTTP/1.1" 200 2401
RESP: [200] Connection: close Content-Length: 2401 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "c814cd4739bd4960ad08ade3814f1560", "name": "system-admins"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/c814cd4739bd4960ad08ade3814f1560/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e", "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0ec0eb48c66d4fb79c432a2ff8c5d257", "name": "admin"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0ec0eb48c66d4fb79c432a2ff8c5d257/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "e8fec49e15984aedb5e1235f279434fe", "name": "auditor"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/e8fec49e15984aedb5e1235f279434fe/roles/7ee093f4ccf345bba963ce765f9b797f"}}], "links": {"self": "http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True", "previous": null, "next": null}}

GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True used request id req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| admin | | system-admins@Default | | | all | False |
| reader | | system-auditors@Default | | | all | False |
| admin | admin@Default | | | | all | False |
| admin | operator@Default | | | | all | False |
| member | system-support@Default | | | | all | False |
| reader | auditor@Default | | | | all | False |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
clean_up ListRoleAssignment:
END return value: 0

The Trace above lists all system role assignments to confirm my setup locally. The following trace shows that the group is returned with the wrong role assignment based on the filter.

$ openstack role assignment list --names --system all --role member --debug [1/880]
START with options: role assignment list --names --system all --role member --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='',
 auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domai
n_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=F
alse, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='',
 passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_proje
ct_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', usern
ame='', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'ne
utron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_
version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 've
rify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope':
'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None,
'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interfa
ce': 'public', u'disable_vendor_agent': {}}
compute API version 2.1, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 3, cmd group openstack.volume.v3
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
key_manager API version 1, cmd group openstack.key_manager.v1
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'q
cow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_ti
meout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tas
ks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_h
elp': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
Using auth plugin: password
Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
Starting new HTTP connection (1): 10.0.3.122:80
http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:49 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-d5
784d4c-7b47-4647-b912-65e6a78b835e
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.
0.3.122/identity/v3/", "rel": "self"}]}]}}
GET call to http://10.0.3.122/identity used request id req-d5784d4c-7b47-4647-b912-65e6a78b835e
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
m": {"all": true}, "expires_at": "2019-10-04T19:56:49.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["SGRaWT8BTVuzELGwxqjBdg"], "issued_at": "2019-10-04T18:56:49.000000
Z"}}
run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, pro
ject=None, project_domain=None, quote_mode='nonnumeric', role=u'member', role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
m": {"all": true}, "expires_at": "2019-10-04T19:56:50.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["2nu0u-1wQRmWA9_uS2hZ-g"], "issued_at": "2019-10-04T18:56:50.000000
Z"}}
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles/member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/roles/member HTTP/1.1" 404 84
RESP: [404] Connection: close Content-Length: 84 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-88bce424-60f2-4d2a-a6f5-2bd256602789
RESP BODY: {"error":{"code":404,"message":"Could not find role: member.","title":"Not Found"}}

GET call to identity for http://10.0.3.122/identity/v3/roles/member used request id req-88bce424-60f2-4d2a-a6f5-2bd256602789
Request returned failure status: 404
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles?name=member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/roles?name=member HTTP/1.1" 200 322
RESP: [200] Connection: close Content-Length: 322 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-ce429b68-b53d-4c49-9080-ed3da3bce55b
RESP BODY: {"links": {"self": "http://10.0.3.122/identity/v3/roles?name=member", "previous": null, "next": null}, "roles": [{"description": null, "links": {"self": "http://10.0.3.122/identity/v3/roles/a8cd98f2e98d4135b2fa83950d6171ec"}, "
options": {}, "id": "a8cd98f2e98d4135b2fa83950d6171ec", "domain_id": null, "name": "member"}]}

GET call to identity for http://10.0.3.122/identity/v3/roles?name=member used request id req-ce429b68-b53d-4c49-9080-ed3da3bce55b
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA
256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True HTTP/1.1" 200 1328
RESP: [200] Connection: close Content-Length: 1328 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-08f9bdb9-149d-4905-96cc-99b87c8b6339
RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e"
, "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba74
7046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914
e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id":
 "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}], "links": {"self": "http://10.
0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True", "previous": null, "next": null}}

GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True used request id req-08f9bdb9-149d-4905-96cc-99b87c8b6339
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| reader | | system-auditors@Default | | | all | False |
| admin | operator@Default | | | | all | False |
| member | system-support@Default | | | | all | False |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
clean_up ListRoleAssignment:
END return value: 0

See original description
Tags: security
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Technically, a user that can access this API can view all role assignments anyway. I'm erring to the side of caution and opening this as a security vulnerability.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Ok - I played with this a little more locally and I don't think we have a true security vulnerability. I checked all of this with domain administrators and the filtering from the request is accounted for in authorization.

I think we're safe to open this up as a public filtering issue with the v3/role_assignments API.

https://gist.github.com/lbragstad/df576b7552b751fae16a35aa3c176b3e

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

Based on Lance's comments, I'm inclined to agree this sounds more like a security hardening opportunity (class D) or even just a regular old bug (class E): https://security.openstack.org/vmt-process.html#templates

Revision history for this message
Gage Hugo (gagehugo) wrote :

Yeah, agreed on likely class D or E here.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Sounds good - I apologize for the false alarm.

Should I make this public?

Revision history for this message
Gage Hugo (gagehugo) wrote :

Yes

Lance Bragstad (lbragstad)
information type: Private Security → Public
Jeremy Stanley (fungi)
Changed in ossa:
status: Incomplete → Won't Fix
description: updated
tags: added: security
Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Colleen Murphy (krinkle) wrote :

Can you say whether this is new in Train, or present since Stein? If it is new in Train, we should try to correct it ASAP before the final release.

Vishakha Agarwal (vishakha.agarwal)
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/738190

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
Lance Bragstad (lbragstad) wrote :

I can't recreate this [0].

This must have been fixed by another patch?

[stack@undercloud ~]$ openstack --os-cloud overcloud role assignment list --names --system all
+--------+---------------+------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
 +--------+---------------+------------------------+---------+--------+--------+-----------+
| member | | system-support@Default | | | all | False |
| reader | | system-admins@Default | | | all | False |
| admin | admin@Default | | | | all | False |
 +--------+---------------+------------------------+---------+--------+--------+-----------+
[stack@undercloud ~]$ openstack --os-cloud overcloud role assignment list --names --system all --role reader
+--------+------+-----------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
 +--------+------+-----------------------+---------+--------+--------+-----------+
| reader | | system-admins@Default | | | all | False |
 +--------+------+-----------------------+---------+--------+--------+-----------+
[stack@undercloud ~]$ openstack --os-cloud overcloud role assignment list --names --system all --role member
+--------+------+------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
 +--------+------+------------------------+---------+--------+--------+-----------+
| member | | system-support@Default | | | all | False |
 +--------+------+------------------------+---------+--------+--------+-----------+
[stack@undercloud ~]$ openstack --os-cloud overcloud role assignment list --names --system all --role admin
+-------+---------------+-------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
 +-------+---------------+-------+---------+--------+--------+-----------+
| admin | admin@Default | | | | all | False |
 +-------+---------------+-------+---------+--------+--------+-----------+

[0] http://paste.openstack.org/raw/796387/

Revision history for this message
Vishakha Agarwal (vishakha.agarwal) wrote :

For listing of implied role assignments, "--effective" parameter is to be passed in role assignment CLI. For more information look [1].

[1]https://docs.openstack.org/api-ref/identity/v3/?expanded=list-system-role-assignments-for-a-user-detail,id627-detail#id627

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by "Gage Hugo <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/738190
Reason: Abandoning since there hasn't been any recent activity, if anyone wants to continue this work, please feel free to restore this or create a new change.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.