OpenStack Compute (nova)

Bug #644092
Comment #13

Comment 13 for bug 644092

Revision history for this message

Devin Carlen (devcamcar) wrote on 2010-09-21: Re: [Bug 644092] Re: authorization not checked in ec2 api

#13

++ data layer is last line of defense to prevent coding errors from presenting data that doesn't belong to the user in context.

On Sep 21, 2010, at 3:49 PM, anotherjesse wrote:

> Soren wrote:
>
> "Now that I think about it, I'm not sure how they're supposed to work?
> They're applied before the object(s) being accessed are even known, so
> it only really checks if context.user has the given role on
> context.project, right? So any checks further down should check whether
> the object being accessed belongs to context.project. Is that accurate?"
>
> This is what I am proposing. That the datalayer should check to see if
> the project is allowed to access the object.
>
> --
> authorization not checked in ec2 api
> https://bugs.launchpad.net/bugs/644092
> You received this bug notification because you are a member of Nova
> Bugs, which is subscribed to OpenStack Compute (nova).
>
> Status in OpenStack Compute (Nova): New
>
> Bug description:
> Users can see things they shouldn't be able to.
>
> STEPS:
>
> 0) create two users a & b, NOT in the same project
>
> 1) start an instance as user a
>
> 2) get_console_output on user a's instance as user b
>
> EXPECTED:
>
> the user should not get the output (user b should not be able to get console output for instances they don't own)
>
> ACTUAL:
>
> console output from instance is returned successfully
>
> DETAILS:
>
> for instance, get_console_output in cloud.py:
>
> def get_console_output(self, context, instance_id, **kwargs):
> instance_ref = db.instance_get_by_str(context, instance_id[0])
> return rpc.call('%s.%s' % (FLAGS.compute_topic,
> instance_ref['host']),
> {"method": "get_console_output",
> "args": {"context": None,
> "instance_id": instance_ref['id']}})
>
> sends a context (which has the user/project) into the instance_get_by_str function, but context is not used in the db layer to determine if the user has access to the instance.
>
> Similarly for all other data store objects.
>
> PROPOSAL:
>
> My thought is that the datalayer should only return objects that the user is authorized to see. If we check at the API layer instead of the data access layer, we have the possibility of inconsistent rules for the same data types as the API evolves.
>
>

++ data layer is last line of defense to prevent coding errors from presenting data that doesn't belong to the user in context.

On Sep 21, 2010, at 3:49 PM, anotherjesse wrote:

> Soren wrote:
> 
> "Now that I think about it, I'm not sure how they're supposed to work?
> They're applied before the object(s) being accessed are even known, so
> it only really checks if context.user has the given role on
> context.project, right? So any checks further down should check whether
> the object being accessed belongs to context.project. Is that accurate?"
> 
> This is what I am proposing.  That the datalayer should check to see if
> the project is allowed to access the object.
> 
> -- 
> authorization not checked in ec2 api
> https://bugs.launchpad.net/bugs/644092
> You received this bug notification because you are a member of Nova
> Bugs, which is subscribed to OpenStack Compute (nova).
> 
> Status in OpenStack Compute (Nova): New
> 
> Bug description:
> Users can see things they shouldn't be able to.
> 
> STEPS:
> 
> 0) create two users a & b, NOT in the same project
> 
> 1) start an instance as user a
> 
> 2) get_console_output on user a's instance as user b
> 
> EXPECTED:
> 
>   the user should not get the output (user b should not be able to get console output for instances they don't own)
> 
> ACTUAL:
> 
>   console output from instance is returned successfully
> 
> DETAILS:
> 
> for instance, get_console_output in cloud.py:
> 
>    def get_console_output(self, context, instance_id, **kwargs):
>        instance_ref = db.instance_get_by_str(context, instance_id[0])
>        return rpc.call('%s.%s' % (FLAGS.compute_topic,
>                                   instance_ref['host']),
>                        {"method": "get_console_output",
>                         "args": {"context": None,
>                                  "instance_id": instance_ref['id']}})
> 
> sends a context (which has the user/project) into the instance_get_by_str function, but context is not used in the db layer to determine if the user has access to the instance.
> 
> Similarly for all other data store objects.
> 
> PROPOSAL:
> 
> My thought is that the datalayer should only return objects that the user is authorized to see.  If we check at the API layer instead of the data access layer, we have the possibility of inconsistent rules for the same data types as the API evolves.
> 
>