OpenStack Searchlight

Admin rbac filtering too lenient

Bug #1496464 reported by Travis Tripp on 2015-09-16

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Searchlight	Fix Released	High	Steve McLellan	OpenStack Searchlight 0.1.0 "liberty"

Bug Description

The current filtering is too lenient when admin scoped token is passed through the system.

https://github.com/openstack/searchlight/blob/b4bd7665d84712f66e684bf8a897c512251a661b/searchlight/api/v1/search.py#L258

This is resulting in an admin being scoped to a project, but still receiving results for all projects. We should allow passing a field such as all_projects or similar. If that isn't passed, then searchlight will still perform normal project scoped filtering.

Revision history for this message

Steve McLellan (sjmc7) wrote on 2015-09-16:

#1

A large part of what RBAC does is restrict to the tenant. 'admin' is logically equivalent to 'cloud admin' in the current implementation, so maybe we need to tidy up what we mean, or clearly delineate what a tenant admin can do versus an ordinary user can't (although i can't think of anything at the moment) versus a cloud admin.

Revision history for this message

Travis Tripp (travis-tripp) wrote on 2015-09-17:

#2

Yes, agreed. We need to talk through it a bit. I do think we need something changed before release, though.

Here is one negative ramification, in a project panel in horizon, if i log in as admin, I'm getting cross-project results for all resources.

Part of me says that this isn't something that we want every UI / CLI etc to remember to do. If a user is scoped to a project, we should honor that scoping by default. Will need to think about domain further.

Revision history for this message

Steve McLellan (sjmc7) wrote on 2015-09-22:

#3

Decision seems to be to restrict queries by default but add an 'all_tenants' parameter to disable it.

Travis Tripp (travis-tripp) on 2015-09-28

Changed in searchlight:
milestone:	none → liberty-rc1

Revision history for this message

Travis Tripp (travis-tripp) wrote on 2015-09-29:

#4

https://review.openstack.org/229058

Changed in searchlight:
assignee:	nobody → Steve McLellan (sjmc7)
status:	New → In Progress
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-30: Fix merged to searchlight (master)

#5

Reviewed: https://review.openstack.org/229058
Committed: https://git.openstack.org/cgit/openstack/searchlight/commit/?id=c85f0794ab194f1df9c2c4a8befd6703ce2c003b
Submitter: Jenkins
Branch: master

commit c85f0794ab194f1df9c2c4a8befd6703ce2c003b
Author: Steve McLellan <email address hidden>
Date: Tue Sep 29 12:17:07 2015 -0500

Apply RBAC for admins unless all_projects is given

    By default, scope results for admins and regular users. A flag
    'all_projects' is given to allow that to be overridden for
    administrators (giving the previous default behavior).

Change-Id: I10ec5f9a3e8f5f0daa52e866b796f6cc2f1f0410
Closes-Bug: #1496464

Changed in searchlight:
status:	In Progress → Fix Committed

Travis Tripp (travis-tripp) on 2015-10-14

Changed in searchlight:
status:	Fix Committed → Fix Released

Travis Tripp (travis-tripp) on 2015-10-14

Changed in searchlight:
milestone:	liberty-rc1 → 0.1.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.