Cross-region requests are not blocked by keystonemiddleware

Bug #1672696 reported by Maciej Jozefczyk on 2017-03-14
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
keystonemiddleware
Undecided
Unassigned

Bug Description

Description
===========

Assuming infrastructure with multiple regions and one centralized Keystone Identify Service Keystonemiddleware doesn't filter out requests with valid token taken from first region to services defined in second region.
It is possible to list glance public images, nova public flavors etc. with token from different region even if Keystone endpoint catalog filtering is set.

Steps to reproduce
=================

1. Deploy environment with one Keystone and minimum 2 regions.
Assign names: RegionOne, RegionTwo
2. Assign Openstack Stack services to those regions.
3. Create project and users in both regions.
5. Configure endpoint filtering for Regions (user from RegionOne shouldn't get endpoints from service catalog of RegionTwo).
4. Configure services to use keystonemiddleware.auth_token:filter_factory, example for Glance:

Add to glance-api-paste.ini:

[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory

5. Get token from RegionOne (openstack token issue).
6. Use this token with request to service in RegionTwo, for example request to Glance:

curl -g -i -X GET https://REGION_TWO_GLANCE_SERVICE:9292/v2/schemas/image -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: TOKEN_FROM_REGION_ONE"

Expected result
===============

Response from service defined in RegionTwo should be likely as follows:

HTTP/1.1 401 Unauthorized
Content-Length: 253
Content-Type: text/plain; charset=UTF-8
Www-Authenticate: Keystone uri='https://CENTRAL_KEYSTONE:5000/v3/'
Date: Tue, 14 Mar 2017 11:31:34 GMT

Actual result
=============

Requests endpoint gives answer with HTTP code 200.

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 4149
X-Openstack-Request-Id: req-c3483e4d-de31-4597-b12f-4f33d59cca44
Date: Tue, 14 Mar 2017 11:29:30 GMT

<JSON WITH GLANCE PUBLIC IMAGES FROM RegionTwo>

Environment
===========

Openstack Newton (it seems master is affected too).
Keystonemiddleware version 4.9.0 (master also affected)

Changed in keystonemiddleware:
assignee: nobody → Maciej Jozefczyk (maciej.jozefczyk)
description: updated
description: updated
description: updated
Lance Bragstad (lbragstad) wrote :

Automatically unassigning due to inactivity.

Changed in keystonemiddleware:
assignee: Maciej Jozefczyk (maciej.jozefczyk) → nobody
Morgan Fainberg (mdrnstm) wrote :

This is not really in the design of keystonemiddleware. It would be possible to enforce this by using different fernet keys between the two regions if you had disparate keystones (even with a synchronized db). Many deployments want the opposite behavior. I recommend either limiting project access in a given region (no quota) or having disparate keystones with an in-sync db for each region.

Changed in keystonemiddleware:
status: New → Opinion
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers