OpenStack-Ansible

Glance policy is too relaxed

Bug #1408363 reported by Ian Cordasco
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
High
Ian Cordasco
OpenStack-Ansible 11.0.1
Icehouse
Invalid
High
Ian Cordasco
Juno
Invalid
High
Ian Cordasco
Kilo
Fix Released
High
Ian Cordasco
OpenStack-Ansible 11.0.1
Trunk
Fix Released
High
Ian Cordasco
OpenStack-Ansible 11.0.1

Bug Description

Per discussion on https://review.openstack.org/#/c/145537/1/rpc_deployment/roles/glance_common/templates/policy.json we should update the following policies in glance's policy.json (after some research):

- publicize_image
- add_member
- delete_member
- modify_member

We probably don't want to restrict all of these policies to the admin role, but we probably do not want them unrestricted either.

I'm marking this private security even though the previous discussion was public.

Ian Cordasco (icordasc)
Changed in openstack-ansible:
importance: Undecided → Critical
importance: Critical → High
assignee: nobody → Ian Cordasco (icordasc)
status: New → In Progress
Revision history for this message
Ian Cordasco (icordasc) wrote :

The proposal to trunk is https://review.openstack.org/#/c/145550/

Revision history for this message
Ian Cordasco (icordasc) wrote :

Icehouse backport: https://review.openstack.org/#/c/145850/
Juno backport: https://review.openstack.org/#/c/145852/

Changed in openstack-ansible:
status: In Progress → Fix Committed
milestone: none → next
Ian Cordasco (icordasc)
information type: Private → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on os-ansible-deployment (icehouse)

Change abandoned by Ian Cordasco (<email address hidden>) on branch: icehouse
Review: https://review.openstack.org/145850

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on os-ansible-deployment (juno)

Change abandoned by Ian Cordasco (<email address hidden>) on branch: juno
Review: https://review.openstack.org/145852

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/146413
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=bba6fa84a181d2123433d56d537826e1e8aaeee0
Submitter: Jenkins
Branch: master

commit bba6fa84a181d2123433d56d537826e1e8aaeee0
Author: Hugh Saunders <email address hidden>
Date: Mon Jan 12 10:37:53 2015 +0000

    Revert "Add proper RBAC to Glance's policy.json"

    This reverts commit 8f190b9121715cc90c1d3269f146f1161623d271.

    From Ian:
    "So I spent most of today trying to figure out why Glance’s policy isn’t
    working with the proposed glance policy changes for RBAC. I only was
    just able to find (by adding tons of logging) the basic check is parsed
    something like this

    OrCheck
    / \
    Role GenericCheck

    The RoleCheck is straight-forward and just works. Glance (in Juno) used
    a very old and very hacky policy enforcement system that has been made a
    lot better in oslo.policy (soon to be released). At the moment the
    GenericCheck receives a target dictionary that is empty. So doing
    something like tenant:%(tenant_id)s will return False immediately
    because there is no tenant_id key in the dictionary passed in for the
    target object (because it is empty). This seems to be a failure
    somewhere along the line but I haven’t found it yet. Regardless, it
    seems like the RBAC changes need to be reverted because there’s no
    chance of them working until a new stable glance comes out with a fix."

    So I spent most of today trying to figure out why Glance’s policy isn’t
    working with the proposed glance policy changes for RBAC. I only was
    just able to find (by adding tons of logging) the basic check is parsed
    something like this.

    Partial-bug: #1408363
    Change-Id: I094050e5ea6e1daa94c2f933c222268654f5ef78

Revision history for this message
Kevin Carter (kevin-carter) wrote :

Sadly, glance policy processing is broken and will need to be revisited in Kilo +

This issue has been moved to "next" until upstream glance is fixed.

Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
status: Fix Committed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/178429

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/178429
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=8bebbc6e530efe26c98f396b24c0ea00971093d3
Submitter: Jenkins
Branch: master

commit 8bebbc6e530efe26c98f396b24c0ea00971093d3
Author: Ian Cordasco <email address hidden>
Date: Tue Apr 28 16:48:11 2015 -0500

    Harden our copy of Glance's policy

    Most of Glance's current checks are implemented in the API controllers
    but in Kilo, Glance added the ability to actually define meaningful
    policy rules around images and image members. In an effort to harden
    our default config as best as we can, we should check to see if the
    user trying to perform some of these actions are either an admin or the
    owner of the image.

    Change-Id: I2dcf4d828c9be88143174de30a6b59d655ab0539
    Closes-bug: 1408363

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/181497

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/181497
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=6847a36fc8e67e60de8a06e388f3f6b5f46dac31
Submitter: Jenkins
Branch: kilo

commit 6847a36fc8e67e60de8a06e388f3f6b5f46dac31
Author: Ian Cordasco <email address hidden>
Date: Tue Apr 28 16:48:11 2015 -0500

    Harden our copy of Glance's policy

    Most of Glance's current checks are implemented in the API controllers
    but in Kilo, Glance added the ability to actually define meaningful
    policy rules around images and image members. In an effort to harden
    our default config as best as we can, we should check to see if the
    user trying to perform some of these actions are either an admin or the
    owner of the image.

    Change-Id: I2dcf4d828c9be88143174de30a6b59d655ab0539
    Closes-bug: 1408363
    (cherry picked from commit 8bebbc6e530efe26c98f396b24c0ea00971093d3)

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.