OpenStack Security Advisory

  1. Bug #1714858
  2. Comment #4

Comment 4 for bug 1714858

Revision history for this message
TommyLike (hu-husheng) wrote : Re: Some APIs doesn't check the owner policy

After investigation in cinder, found one API that would have a potential security issue: reset volume's status, this is the process to reproduce.

1. assume create a volume in demon1 project with non-admin user:
```
+--------------------------------+--------------------------------------+
| Property | Value |
 +--------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2018-03-15T03:13:39.000000 |
| description | None |
| encrypted | False |
| group_id | None |
| id | 074c4b78-af13-4b7c-a8ef-29fa5604197f |
| metadata | {} |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-host-attr:host | None |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | 61feeebaad1d4e4382c1c764f2033a79 |
| provider_id | None |
| replication_status | None |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| updated_at | 2018-03-15T03:13:39.000000 |
| user_id | 7bf2008b095d4961a9f4bc92a475c54e |
| volume_type | lvmdriver-1 |
 ```
2. swith into another project demo2 with non administrator which doesn't have any volumes:
```
+----+--------+------+------+-------------+----------+-------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
 +----+--------+------+------+-------------+----------+-------------+
+----+--------+------+------+-------------+----------+-------------+
```
3. try to reset the new created volume's status in this project, and this is the result:
```
{
    "os-reset_status": {
        "status": "errpr"
    }
}
RESPONSE:
{
    "forbidden": {
        "message": "Policy doesn't allow volume_extension:volume_admin_actions:reset_status to be performed.",
        "code": 403
    }
}
```
4. update the reset_status's policy rule into admin_or_owner [1] and restart the service
5. try to reset the status again, cinder updates the status successfully even I am not the owner of the volume, cinder list.
```
+--------------------------------+--------------------------------------+
| Property | Value |
 +--------------------------------+--------------------------------------+
| attached_servers | [] |
| attachment_ids | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2018-03-15T03:13:39.000000 |
| description | None |
| encrypted | False |
| group_id | None |
| id | 074c4b78-af13-4b7c-a8ef-29fa5604197f |
| metadata | |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-host-attr:host | None |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | 61feeebaad1d4e4382c1c764f2033a79 |
| provider_id | None |
| replication_status | None |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | error |
| updated_at | 2018-03-15T03:25:15.000000 |
| user_id | 7bf2008b095d4961a9f4bc92a475c54e |
| volume_type | lvmdriver-1 |
 +--------------------------------+--------------------------------------+
```

[1]: https://github.com/openstack/cinder/blob/baabd09f63bb5cb7b9ff8860ceab1efe1b6eab89/cinder/policies/volume_actions.py#L76