Openstack service client caching breaks security and backward compatibility
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mistral |
Triaged
|
Medium
|
Unassigned |
Bug Description
Cached openstack clients are initialized with credentials but only tenant id used as key. This causes subsequent calls going to the same Openstack service endpoint to be dependent on each other.
Example:
1. - invoke stacks_list action with admin credentials
2. - invoke stacks_list action with non-privileged credentials
1. will succeed.
2. will use the admin credentials, thereby breaking security.
The caching heavily relies on the expiration time of the authentication tokens, as well, but does not consider invalidated tokens. The invalidated token will be used for all outgoing calls until the token is considered expired.
Backward compatibility is also broken as the original operation involved always using the credentials provided by the client.
Caching should be disabled until these issues are solved.
Changed in mistral: | |
assignee: | nobody → Jeff Peeler (jpeeler-z) |
status: | New → Confirmed |
importance: | Undecided → Critical |
milestone: | none → newton-rc2 |
information type: | Private Security → Public |
information type: | Public → Public Security |
Changed in mistral: | |
assignee: | Jeff Peeler (jpeeler-z) → Dougal Matthews (d0ugal) |
tags: | added: newton-rc-potential |
Changed in mistral: | |
milestone: | ocata-1 → ocata-2 |
Changed in mistral: | |
milestone: | ocata-2 → ocata-3 |
Changed in mistral: | |
milestone: | ocata-3 → ocata-rc2 |
Changed in mistral: | |
milestone: | ocata-rc2 → pike-1 |
Changed in mistral: | |
milestone: | pike-1 → pike-2 |
Changed in mistral: | |
assignee: | Dougal Matthews (d0ugal) → nobody |
Changed in mistral: | |
milestone: | pike-2 → pike-3 |
Changed in mistral: | |
milestone: | pike-3 → queens-1 |
Changed in mistral: | |
status: | In Progress → Triaged |
Changed in mistral: | |
milestone: | queens-1 → queens-3 |
Changed in mistral: | |
milestone: | queens-3 → rocky-2 |
Changed in mistral: | |
milestone: | rocky-2 → rocky-3 |
Changed in mistral: | |
milestone: | rocky-3 → stein-1 |
Changed in mistral: | |
milestone: | stein-1 → stein-2 |
Changed in mistral: | |
milestone: | stein-2 → none |
Fix proposed to branch: master /review. openstack. org/377420
Review: https:/