group list command for all tenants is not listing all groups.

Bug #1676261 reported by lucky on 2017-03-27
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-cinderclient
Undecided
Unassigned

Bug Description

In openstack documents, we have a command to list all the generic groups. Only admin has the rights to view all the groups of each tenants. however, if we login through different user other than admin, then also this command works perfectly.
ideally, it must show an error on screen.

Reproducing steps:

1. When we source using admin
 --> source keystonerc_admin
2. Fetch list of groups of all tenants using below command :
[root@controller ~(keystone_admin)]# cinder --os-volume-api-version 3.13 group-list --all-tenants 1
+--------------------------------------+-----------+----------+
| ID | Status | Name |
+--------------------------------------+-----------+----------+
| c5443e0f-e475-464a-88a1-6bad29e5fd82 | available | group_78 |
+--------------------------------------+-----------+----------+

--> it show only one group in the list. however, if we check with other user we have one more group.

3. source using other user
  --> source keystonerc_demo

4. execute command :
[root@controller ~(keystone_demo)]# cinder --os-volume-api-version 3.13 group-list
+--------------------------------------+-----------+-----------+
| ID | Status | Name |
+--------------------------------------+-----------+-----------+
| ff6a8281-ac66-4fb6-9b79-42dc21a9371f | available | group_999 |
+--------------------------------------+-----------+-----------+

Moreover, if we use [--all-tenants] option with user other than admin, then also it is not showing any error.
As per the openstack documents only admin has the permission to view the list of groups of all tenants.

[root@controller ~(keystone_demo)]# cinder --os-volume-api-version 3.13 group-list --all-tenants 1
+--------------------------------------+-----------+-----------+
| ID | Status | Name |
+--------------------------------------+-----------+-----------+
| edfb28e6-1f3d-444c-8e97-5a7073fe3f57 | available | group_999 |
+--------------------------------------+-----------+-----------+

this leads to vulnerability of admin rights.

lucky (luckysingh) wrote :

this bug is verified in newton release.

Changed in python-cinderclient:
assignee: nobody → NidhiMittalHada (nidhimittal19)
status: New → In Progress
NidhiMittalHada (nidhimittal19) wrote :

working on this

Unassigning due to no activity for > 6 months.

Changed in python-cinderclient:
assignee: NidhiMittalHada (nidhimittal19) → nobody
status: In Progress → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers