Service accounts can be used to login horizon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Adam Young | ||
OpenStack Dashboard (Horizon) |
Opinion
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Medium
|
Travis McPeak |
Bug Description
This is not a bug and may / may not be a security issue ... but it appears that the service account created in keystone are of the same privileges level as any other admin accounts created through keystone and I don't like that.
Would it be possible to implement something that would distinguish user accounts from service accounts? Is there a way to isolate some service accounts from the remaining of the openstack APIs?
One kick example on this is that any service accounts have admin privileges on all the other services . At this point, I'm trying to figure out why are we creating a distinct service account for each service if nothing isolate them.
IE:
glance account can spawn a VM
cinder account can delete an image
heat account can delete a volume
nova account can create an image
All of these service accounts have access to the horizon dashboard. One small hack could be to prevent those accounts from logging in Horizon.
Thanks,
Dave
tags: | removed: such wow |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
information type: | Private Security → Public |
Changed in ossn: | |
status: | New → Incomplete |
Changed in ossn: | |
assignee: | nobody → Travis McPeak (travis-mcpeak) |
Changed in ossn: | |
status: | Incomplete → In Progress |
Changed in nova: | |
status: | New → Incomplete |
Changed in ossn: | |
assignee: | nobody → Travis McPeak (travis-mcpeak) |
Changed in ossn: | |
importance: | Undecided → Medium |
Changed in ossn: | |
status: | In Progress → Fix Committed |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
Should this need a Keystone task ?