Authentication is not checked before sending potentially large request bodies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
keystonemiddleware |
Invalid
|
Medium
|
Unassigned | ||
python-keystoneclient |
Invalid
|
Medium
|
Unassigned |
Bug Description
When making an HTTP request with a body to an api using the keystone auth_token middleware and no request size limiting then an unauthorized user can send a very large request that will not fail with a 401 until after all of the data is sent. This means that anyone who can hit an api could make many requests with large bodies and not be denied until after all of that data has been sent, wasting lots/all of the resources on the api node essentially bringing it down.
This issue can be mitigated for apis like nova by having middleware or using the webserver to limit the maximum size of a request. In the case of the glance-api however, large requests such as image uploads need to occur. Perhaps the auth_token middleware should look at request headers and perform authN and authZ before accepting all of the request body. It's also very inefficient and time consuming to wait until all the data is sent before receiving a 401.
I am not sure of the level of impact this could have for most deployers and the different APIs.
Here is an example of requests to glance and devstack with a bad token and their times to complete. Nova-api on devstack also accepted large bodies before returning a 401.
1 Meg Image
[ameade@
[17:30:16] $ time glance --debug --os-auth-token 'gah' image-create --name test <1meg.img
curl -i -X POST -H 'Transfer-Encoding: chunked' -H 'User-Agent: python-
HTTP/1.1 401 Unauthorized
date: Thu, 18 Jul 2013 17:30:30 GMT
content-length: 253
content-type: text/plain; charset=UTF-8
401 Unauthorized
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
Request returned failure status.
Invalid OpenStack Identity credentials.
real 0m0.766s
user 0m0.312s
sys 0m0.164s
100 meg
[ameade@
[17:31:35] $ time glance --debug --os-auth-token 'gah' image-create --name test <100meg.img
curl -i -X POST -H 'Transfer-Encoding: chunked' -H 'User-Agent: python-
HTTP/1.1 401 Unauthorized
date: Thu, 18 Jul 2013 17:31:40 GMT
content-length: 253
content-type: text/plain; charset=UTF-8
401 Unauthorized
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
Request returned failure status.
Invalid OpenStack Identity credentials.
real 0m1.441s
user 0m0.420s
sys 0m0.344s
10 gig
[ameade@
[17:16:23] 1 $ time glance --debug --os-auth-token 'gah' image-create --name test <10g.img
curl -i -X POST -H 'Transfer-Encoding: chunked' -H 'User-Agent: python-
HTTP/1.1 401 Unauthorized
date: Thu, 18 Jul 2013 17:16:28 GMT
content-length: 253
content-type: text/plain; charset=UTF-8
401 Unauthorized
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
Request returned failure status.
Invalid OpenStack Identity credentials.
real 0m56.082s
user 0m6.308s
sys 0m17.669s
Changed in glance: | |
status: | New → Confirmed |
status: | Confirmed → Triaged |
Changed in glance: | |
status: | Triaged → Confirmed |
status: | Confirmed → Won't Fix |
importance: | High → Undecided |
Changed in keystonemiddleware: | |
status: | Incomplete → Invalid |
I agree that public glance-api servers present a unique challenge here. Not totally convinced we can address that as a security fix though -- it might be OSSN territory...
We should discuss on the private bug how we would fix that first, and then decide in which bucket it falls.