v3/role_assignments filtering exposes unnecessary role assignments

Bug #1846817 reported by Lance Bragstad on 2019-10-04
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Unassigned
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

I have a deployment that exercises multiple system role assignments:

 - An "operator" user has the "admin" role on the system
 - A "system-support" user has the "member" role on the system
 - A "system-admins" group has the "reader" role on the system

If I ask keystone to filter a list of role assignments by --system all and --role member, I should only see a list with the "system-support" user and the "operator" user. Instead, I get a list with three entries that includes the group, which doesn't have the member role at all, it only has reader.

Depending on how you classify this, it could leak information to clients. Groups don't appear to be filtered from the list since "reader" doesn't imply "member" (it's the other way around).

$ openstack role assignment list --names --system all --debug
START with options: role assignment list --names --system all --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='', auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
compute API version 2.1, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 3, cmd group openstack.volume.v3
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
key_manager API version 1, cmd group openstack.key_manager.v1
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
Using auth plugin: password
Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
Starting new HTTP connection (1): 10.0.3.122:80
http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.0.3.122/identity/v3/", "rel": "self"}]}]}}
GET call to http://10.0.3.122/identity used request id req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["JVQCRxBoTUyzm2CqiCoj6w"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, project=None, project_domain=None, quote_mode='nonnumeric', role=None, role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["U9Z3md9YTP-9-bTLuPDIzg"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}042443671367aa0183e15fd2692bf4c70d15050bdac46db883fd836440ae1065"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&include_names=True HTTP/1.1" 200 2401
RESP: [200] Connection: close Content-Length: 2401 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "c814cd4739bd4960ad08ade3814f1560", "name": "system-admins"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/c814cd4739bd4960ad08ade3814f1560/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e", "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0ec0eb48c66d4fb79c432a2ff8c5d257", "name": "admin"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0ec0eb48c66d4fb79c432a2ff8c5d257/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "e8fec49e15984aedb5e1235f279434fe", "name": "auditor"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/e8fec49e15984aedb5e1235f279434fe/roles/7ee093f4ccf345bba963ce765f9b797f"}}], "links": {"self": "http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True", "previous": null, "next": null}}

GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True used request id req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| admin | | system-admins@Default | | | all | False |
| reader | | system-auditors@Default | | | all | False |
| admin | admin@Default | | | | all | False |
| admin | operator@Default | | | | all | False |
| member | system-support@Default | | | | all | False |
| reader | auditor@Default | | | | all | False |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
clean_up ListRoleAssignment:
END return value: 0

The Trace above lists all system role assignments to confirm my setup locally. The following trace shows that the group is returned with the wrong role assignment based on the filter.

$ openstack role assignment list --names --system all --role member --debug [1/880]
START with options: role assignment list --names --system all --role member --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='',
 auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domai
n_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=F
alse, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='',
 passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_proje
ct_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', usern
ame='', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'ne
utron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_
version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 've
rify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope':
'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None,
'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interfa
ce': 'public', u'disable_vendor_agent': {}}
compute API version 2.1, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 3, cmd group openstack.volume.v3
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
key_manager API version 1, cmd group openstack.key_manager.v1
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
u'interface': 'public', u'disable_vendor_agent': {}}
command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'q
cow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_ti
meout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tas
ks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_h
elp': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
Using auth plugin: password
Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
Starting new HTTP connection (1): 10.0.3.122:80
http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:49 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-d5
784d4c-7b47-4647-b912-65e6a78b835e
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.
0.3.122/identity/v3/", "rel": "self"}]}]}}
GET call to http://10.0.3.122/identity used request id req-d5784d4c-7b47-4647-b912-65e6a78b835e
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
m": {"all": true}, "expires_at": "2019-10-04T19:56:49.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["SGRaWT8BTVuzELGwxqjBdg"], "issued_at": "2019-10-04T18:56:49.000000
Z"}}
run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, pro
ject=None, project_domain=None, quote_mode='nonnumeric', role=u'member', role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
m": {"all": true}, "expires_at": "2019-10-04T19:56:50.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["2nu0u-1wQRmWA9_uS2hZ-g"], "issued_at": "2019-10-04T18:56:50.000000
Z"}}
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles/member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/roles/member HTTP/1.1" 404 84
RESP: [404] Connection: close Content-Length: 84 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-88bce424-60f2-4d2a-a6f5-2bd256602789
RESP BODY: {"error":{"code":404,"message":"Could not find role: member.","title":"Not Found"}}

GET call to identity for http://10.0.3.122/identity/v3/roles/member used request id req-88bce424-60f2-4d2a-a6f5-2bd256602789
Request returned failure status: 404
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles?name=member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/roles?name=member HTTP/1.1" 200 322
RESP: [200] Connection: close Content-Length: 322 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-ce429b68-b53d-4c49-9080-ed3da3bce55b
RESP BODY: {"links": {"self": "http://10.0.3.122/identity/v3/roles?name=member", "previous": null, "next": null}, "roles": [{"description": null, "links": {"self": "http://10.0.3.122/identity/v3/roles/a8cd98f2e98d4135b2fa83950d6171ec"}, "
options": {}, "id": "a8cd98f2e98d4135b2fa83950d6171ec", "domain_id": null, "name": "member"}]}

GET call to identity for http://10.0.3.122/identity/v3/roles?name=member used request id req-ce429b68-b53d-4c49-9080-ed3da3bce55b
REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA
256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True HTTP/1.1" 200 1328
RESP: [200] Connection: close Content-Length: 1328 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-08f9bdb9-149d-4905-96cc-99b87c8b6339
RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e"
, "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba74
7046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914
e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id":
 "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}], "links": {"self": "http://10.
0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True", "previous": null, "next": null}}

GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True used request id req-08f9bdb9-149d-4905-96cc-99b87c8b6339
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
| reader | | system-auditors@Default | | | all | False |
| admin | operator@Default | | | | all | False |
| member | system-support@Default | | | | all | False |
+--------+------------------------+-------------------------+---------+--------+--------+-----------+
clean_up ListRoleAssignment:
END return value: 0

Lance Bragstad (lbragstad) wrote :

Technically, a user that can access this API can view all role assignments anyway. I'm erring to the side of caution and opening this as a security vulnerability.

Lance Bragstad (lbragstad) wrote :

Ok - I played with this a little more locally and I don't think we have a true security vulnerability. I checked all of this with domain administrators and the filtering from the request is accounted for in authorization.

I think we're safe to open this up as a public filtering issue with the v3/role_assignments API.

https://gist.github.com/lbragstad/df576b7552b751fae16a35aa3c176b3e

Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Jeremy Stanley (fungi) wrote :

Based on Lance's comments, I'm inclined to agree this sounds more like a security hardening opportunity (class D) or even just a regular old bug (class E): https://security.openstack.org/vmt-process.html#templates

Gage Hugo (gagehugo) wrote :

Yeah, agreed on likely class D or E here.

Lance Bragstad (lbragstad) wrote :

Sounds good - I apologize for the false alarm.

Should I make this public?

Gage Hugo (gagehugo) wrote :

Yes

information type: Private Security → Public
Jeremy Stanley (fungi) on 2019-10-04
Changed in ossa:
status: Incomplete → Won't Fix
description: updated
tags: added: security
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Colleen Murphy (krinkle) wrote :

Can you say whether this is new in Train, or present since Stein? If it is new in Train, we should try to correct it ASAP before the final release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers