get_admin_context inadvertently elevates thread

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

The security implications of this may be N/A or minor for Cinder and Neutron. In attempting to determine the scope I looked at the calls to oslo_context.context.get_current(), which I believe is the only way to get context from the thread local.

I did not see any calls to this method in Cinder or Neutron which would lead me to believe neither project is going after the thread local context to use it and are all depending on the context passed through the call chain.

It looks like Sahara would also be impacted here.

I am going to remove Neutron since we don't use the method to retrieve the context from thread local.

This is definitely a bug in cinder, and should be fixed, but it doesn't look like we rely on the context after the elevation, so I don't think there are security issues, just usability. i.e. Even if fixed, cinder would behave the same whether we passed override=True or False.

This is only from a first look though, and I'd like to get somebody else to confirm

Is Sahara still using the context after the elevation ? Or like for Cinder it does not cause a security issue ?

I will look into this a little more, but I don't think that sahara continues to use the context after the request has ended. In most cases, the context is elevated to admin, an action is performed, and then the thread's lifetime is over.

I suspect this is a class D type of bug according to VMT taxonomy ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

If nobody complains, let's remove the ossa task and open this bug by the end of week.

Reviewed: https://review.openstack.org/247102
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=2cf1f17ee5dc4957efbbc1f1f8f3781d7b9408d5
Submitter: Jenkins
Branch: master

commit 2cf1f17ee5dc4957efbbc1f1f8f3781d7b9408d5
Author: Samuel Matzek <email address hidden>
Date: Wed Nov 18 13:40:42 2015 -0600

    Preserve request id in Cinder logs

    Several Cinder volume drivers make calls to get the admin context.
    When the admin context is retrieved the user context and its request
    ID is lost and all subsequent log entries have different request IDs.

    The fix is to pass the overwrite parameter in Cinder's RequestContext
    __init__ method to the parent oslo class.

    Partial-Bug: #1511406

    Change-Id: I8972b46f15518f22dc9bb340d7c1ba08be1fa2bc

This bug is > 60 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

This bug still appears to be valid for sahara, with get_admin_context not passing overwrite=False when it creates a new Context instance (default is True).

Sahara fix proposed here: https://review.openstack.org/#/c/292557/

Reviewed: https://review.openstack.org/292557
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=eb5a6bcc06a9e7faff4030d278f418264bb0562e
Submitter: Jenkins
Branch: master

commit eb5a6bcc06a9e7faff4030d278f418264bb0562e
Author: Matthew Edmonds <email address hidden>
Date: Mon Mar 14 14:55:07 2016 -0400

    get_admin_context overwriting context

    When the admin context is retrieved, the user context and its request
    ID is lost. All subsequent log entries would have different request IDs
    and any further context checking will be using an admin's context
    instead of the user's context. I'm not aware of any further checking
    today, but better to fix this now and avoid that being an issue in the
    future.

    Change-Id: I1371ddb70736a49f9124f85352d6d195aec97c80
    Closes-Bug: #1511406

This issue was fixed in the openstack/sahara 4.0.0.0rc1 release candidate.