cross project copy succeeded without service token

Hisashi, did you use tempauth or keystoneauth for the authentication? Did you set ACLs on the destination container?

I tested this using tempauth, and in fact the behavior is somewhat strange, if not broken. I used the following tempauth config:

[filter:tempauth]
use = egg:swift#tempauth
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin
user_test_tester3 = testing3
reseller_prefix = AUTH, SERVICE
SERVICE_require_group = .service
user_glance_glance = glancepw .service

1. If I set an ACL on a container owned by the glance service account for test:tester3 it can be accessed without any service token at all. This might be ok - at least it is the same behavior with other, non-service accounts. However, if it is ok the documentation needs an update:

https://github.com/openstack/swift/blob/89397c5b679c2ad20f96fc81d8de6b1bf86482a6/swift/common/middleware/tempauth.py#L93-L115

2. If no ACL is set the access is denied both with and without a service token. Looking at the code I would expect that a request with a valid service token should grant administrator access.

https://github.com/openstack/swift/blob/89397c5b679c2ad20f96fc81d8de6b1bf86482a6/swift/common/middleware/tempauth.py#L506

The variable "account" is actually "SERVICE_glance", and the groups are "['test', 'test:tester3', 'glance', 'glance:glance', '.service']". However, if this would be changed a request with a service token would not need a ACL at all; thus giving administrator/owner access to the test:tester3 user with a valid service token. Not sure if this is wanted either?

I didn't test this with the keystoneauth middleware yet.

Christian, Thanks for the test. I used Keystone and didn't set Acls on the container. I wrote "cross project access" but it's not correct. The correct summary is "same project (different reseller prefix) copy without service token".
I quick looked at tempauth I'm not sure but the behavior is not happed with the logic. I will check later. In keystoneauth, the logic at https://github.com/openstack/swift/blob/89397c5b679c2ad20f96fc81d8de6b1bf86482a6/swift/common/middleware/keystoneauth.py#L490 is effect the bahavior. If once authorized (but delay_denial), swift_owner in req.environment. Then put with the environment. The request doesn't have service roles but will be authorized for destination.

$ export TOKEN=`curl -i -X POST http://127.0.0.1:5000/v3/auth/tokens -H "Content-Type: application/json" -H "Accept: application/json" -T /home/objectstorage/account/test6_user.json | grep X-Subject-Token | sed -e "s/X-Subject-Token: //g"` curl -i -X PUT -T ./object -H "X-Auth-Token: $TOKEN" http://127.0.0.1:8080/v1/AUTH_3bb2ec4a966b4a9aa19c6007d248b74e/e1e004a9abd44650ba8b4f0c3d1586f2/9826d9570fe144fd9dca30c7b8fdc59c
curl -i -X PUT -H "X-Auth-Token: $TOKEN" http://127.0.0.1:8080/v1/SERVICE_3bb2ec4a966b4a9aa19c6007d248b74e/e5aee7b3628641c08f55b58a9d06c31e
export TOKEN=`curl -i -X POST http://127.0.0.1:5000/v3/auth/tokens -H "Content-Type: application/json" -H "Accept: application/json" -T /home/objectstorage/account/test_user.json | grep X-Subject-Token | sed -e "s/X-Subject-Token: //g"` % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 2721 100 2316 100 405 22093 3863 --:--:-- --:--:-- --:--:-- 22485

$ curl -i -X PUT -H "X-Auth-Token: $TOKEN" http://127.0.0.1:8080/v1/AUTH_3bb2ec4a966b4a9aa19c6007d248b74e/e1e004a9abd44650ba8b4f0c3d1586f2
HTTP/1.1 201 Created
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx152ef21a8b1e432eb2de7-0055c3dcda
Date: Thu, 06 Aug 2015 22:16:59 GMT

$ curl -i -X PUT -T ./object -H "X-Auth-Token: $TOKEN" http://127.0.0.1:8080/v1/AUTH_3bb2ec4a966b4a9aa19c6007d248b74e/e1e004a9abd44650ba8b4f0c3d1586f2/9826d9570fe144fd9dca30c7b8fdc59c
HTTP/1.1 100 Continue

HTTP/1.1 201 Created
Last-Modified: Thu, 06 Aug 2015 22:17:00 GMT
Content-Length: 0
Etag: 2debfdcf79f03e4a65a667d21ef9de14
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx78f7f048f7114b99b8063-0055c3dcdb
Date: Thu, 06 Aug 2015 22:16:59 GMT

$ curl -i -X PUT -H "X-Auth-Token: $TOKEN" http://127.0.0.1:8080/v1/SERVICE_3bb2ec4a966b4a9aa19c6007d248b74e/e5aee7b3628641c08f55b58a9d06c31e
HTTP/1.1 201 Created
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txf3716c64b931419cafbdf-0055c3dcdb
Date: Thu, 06 Aug 2015 22:16:59 GMT

$ export TOKEN=`curl -i -X POST http://127.0.0.1:5000/v3/auth/tokens -H "Content-Type: application/json" -H "Accept: application/json" -T /home/objectstorage/account/test_user.json | grep X-Subject-Token | sed -e "s/X-Subject-Token: //g"`
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 2710 100 2307 100 403 18356 3206 --:--:-- --:--:-- --:--:-- 18456

$ curl -i -X COPY -H "X-Auth-Token: $TOKEN" -H "Destination: e5aee7b3628641c08f55b58a9d06c31e/cdaa2613dcd1415897f5b401c5176700" -H "Destination-Account: SERVICE_3bb2ec4a966b4a9aa19c6007d248b74e" http://127.0.0.1:8080/v1/AUTH_3bb2ec4a966b4a9aa19c6007d248b74e/e1e004a9abd44650ba8b4f0c3d1586f2/9826d9570fe144fd9dca30c7b8fdc59c
HTTP/1.1 201 Created
Content-Length: 0
X-Copied-From-Last-Modified: Thu, 06 Aug 2015 22:17:00 GMT
X-Copied-From: e1e004a9abd44650ba8b4f0c3d1586f2/9826d9570fe144fd9dca30c7b8fdc59c
Last-Modified: Thu, 06 Aug 2015 22:17:11 GMT
Etag: 2debfdcf79f03e4a65a667d21ef9de14
X-Copied-From-Account: AUTH_3bb2ec4a966b...

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Hisashi: thanks for the update. Actually it looks to me like there are two separate issues; the one you discovered in keystoneauth, and another one in tempauth.

I attached a patch for the tempauth issue; interestingly this passes all unit and functional tests. It looks to me like tests are not covering this issue yet. I'm looking into it. With the patch applied a normal user needs a valid ACL and a valid service token to access a container.

Need to have a closer look to the issue in keystone.

Any progress here ?

Is the SERVICE_ account supposed to be used at all ?

I've subscribed the OSSG core security reviewers to get some additional insight as to whether this bug is risky enough that it should remain under embargo. If reasonably safe to do so, I would like to consider switching this to public security since we're approaching a couple of months in with no resolution yet and some increased visibility within the community might help quicken the pace.

It's difficult for me to assess the security impact because I'm not clear on the expected and actual behavior.

Christian/Hisashi - can you please summarize what is supposed to happen and what is actually happening? As a result of this what kind of assets can be tampered/disclosed?

A service account requires two tokens to access data in it: one token from the user and one from the service (for example Glance).

It seems there is an issue with this; a user can access data without a service token if an ACL for this user exists.
So far I was only able to verify this with tempauth - the required_group is by default not really required, only for admin access.

I'd like to add Donagh McCabe to this bug report to get his opinion on this. Is that ok?

Christian - thanks for the summary. I'll be interested in Donagh's thoughts as well.

Christian, by all means please subscribe anyone else you think may be able to help with this.

I did subscribe Donagh to this bug but he is struggling to login to launchpad. We are looking into this issue..

Fix prposed: https://review.openstack.org/226707

The patch was pushed publicly, so we need to open this bug as well.

Since we're coming up on a release, we're targeting it to land for that.

I've switched the bug to public security now.

Attached is a shell script that explains what works and what not - or what should not work, that is. With my patch from comment #5 (https://bugs.launchpad.net/swift/+bug/1483007/comments/5) it will work as expected.

I'll submit that patch for review, and continue with a patch for keystoneauth.

I submitted a second patchset (https://review.openstack.org/#/c/227133/), and this fixes it for me both for tempauth and for keystoneauth.

With Keystone it's basically the same as in tempauth - the example from comment #16 works with minimal modifications too (setting keystone tokens, urls and usernames).

For other reviewer's wanting to try out Christian's example.sh script to look at the behaviour (in tempauth), here is another version which uses awk rather then cut, as his cut points where cutting off apart of the token in my locale. Awk version should work everywhere because it uses a field separator.

Anyway, back to testing and reviewing for me.?field.comment=For other reviewer's wanting to try out Christian's example.sh script to look at the behaviour (in tempauth), here is another version which uses awk rather then cut, as his cut points where cutting off apart of the token in my locale. Awk version should work everywhere because it uses a field separator.

Anyway, back to testing and reviewing for me.

Related fix proposed to branch: master
Review: https://review.openstack.org/229787

Reviewed: https://review.openstack.org/227133
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=4b8f52b1536ad6ea36719b2bfd4cce29fbc843c6
Submitter: Jenkins
Branch: master

commit 4b8f52b1536ad6ea36719b2bfd4cce29fbc843c6
Author: Christian Schwede <email address hidden>
Date: Mon Aug 10 08:44:20 2015 +0000

    Fix copy requests to service accounts in Keystone

    In case of a COPY request the swift_owner was already set to True, and the
    following PUT request was granted access no matter if a service token was used
    or not. This allowed to copy data to service accounts without any service
    token.

    Service token unit tests have been added to verify that when
    swift_owner is set to True in a request environ, this setting is
    ignored when authorizing another request based on the same
    environ. Applying only this test change on master fails currently, and
    only passes with the fix in this patch.

    Tempauth seems to be not affected, however a small doc update has been added to
    make it more clear that a service token is not needed to access a service account
    when an ACL is used.

    Further details with an example are available in the bug report
    (https://bugs.launchpad.net/swift/+bug/1483007).

    Co-Authored-By: Alistair Coles <email address hidden>
    Co-Authored-By: Hisashi Osanai <email address hidden>
    Co-Authored-By: Donagh McCabe <email address hidden>

    Closes-Bug: 1483007
    Change-Id: I1207b911f018b855362b1078f68c38615be74bbd

Change abandoned by Alistair Coles (<email address hidden>) on branch: master
Review: https://review.openstack.org/229787
Reason: @Hisashi @John thanks for reviewing this, on reflection it doesn't add much to what we now have merged as unit tests and I would much prefer to see a functional test.

The chain of patches for functional tests progress, starting with https://review.openstack.org/#/c/202411/, should provide what we need I think.

As background: The service token feature is intended for use by Glance and Cinder. There is proposed Glance code that would use the feature, but it is not in Liberty. I'm not aware of any activity in the Cinder team. In principal, someone might have used the service token feature in a deployment, but until very recently there was no support in python-swiftclient so it would have been reasonably difficult to setup and use. Hence, I doubt if this feature is in active use in any production deployment.

Thanks Donagh for this extra details. So since no stable releases seems to be affected, I removed the advisory task.

Fix proposed to branch: feature/crypto
Review: https://review.openstack.org/234065

Reviewed: https://review.openstack.org/234065
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=c80229fd86853f5f8541aeef4b5044170572640d
Submitter: Jenkins
Branch: feature/crypto

commit 9cafa472a336f66d149a20c12f4251703d96f04d
Author: Ondřej Nový <email address hidden>
Date: Sat Oct 10 20:57:07 2015 +0200

    Autodetect systemctl in SAIO and use it on systemd distros

    Change-Id: I84a9b27baac89327749d8774032860f8ad5166f2

commit 92767f28d668643bc2affee7b2fd46fd9349656a
Author: Emile Snyder <email address hidden>
Date: Sun Oct 11 21:24:54 2015 -0700

    Fix 'swift-ring-builder write_builder' after you remove a device

    clayg already posted the code fix in the bug, but noted it needs a test.

    Closes-Bug: #1487280
    Change-Id: I07317754afac7165baac4e696f07daeba2e72adc

commit a48649002970b2150d24d0622a100f54045443c5
Author: Lisak, Peter <email address hidden>
Date: Mon Oct 12 14:42:01 2015 +0200

    swift-recon fails with socket.timeout exception

    If some server is overloaded or timeout set too low, swift-recon fails with
    raised socket.timeout exception.

    This error should be processed the same way as HTTPError/URLError.

    Change-Id: Ide8843977ab224fa866097d0f0b765d6899c66b8

commit 767fac8186ea4541f4466ac9a55c03abea6a878b
Author: Christian Schwede <email address hidden>
Date: Mon Oct 12 07:09:00 2015 +0000

    Enable H234 check (assertEquals is deprecated, use assertEqual)

    All usages of assertEquals and assertNotEquals are fixed now, so let's enable
    the H234 check to avoid regressions in the future.

    Change-Id: I2c2ccb3b268cf9eb11f2db045378ab125a02bc31

commit 1882801be1d8983cd718786bd409cf09f65a00b0
Author: janonymous <email address hidden>
Date: Mon Aug 31 21:49:49 2015 +0530

    pep8 fix: assertNotEquals -> assertNotEqual

    assertNotEquals is deprecated in py3

    Change-Id: Ib611351987bed1199fb8f73a750955a61d022d0a

commit f5f9d791b0b8b32350bd9a47fbc00ff86a65f09d
Author: janonymous <email address hidden>
Date: Wed Aug 5 23:58:14 2015 +0530

    pep8 fix: assertEquals -> assertEqual

    assertEquals is deprecated in py3, replacing it.

    Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8
    Co-Authored-By: Ondřej Nový <email address hidden>

commit 1ba7641c794104de57e5010f76cecbf146a2a63b
Author: Zack M. Davis <email address hidden>
Date: Thu Oct 8 16:16:18 2015 -0700

    minutæ: port ClientException tweaks from swiftclient; dict .pop

    openstack/python-swiftclient@5ae4b423 changed python-swiftclient's
    ClientException to have its http_status attribute default to
    None (rather than 0) and to use super in its __init__ method. For
    consistency's sake, it's nice for Swift's inlined copy of
    ClientException to receive the same patch. Also, the retry function in
    direct_client (a major user of ClientException) was using a somewhat
    awkward conditional-assignment-and-delete construction where the .pop
    method of dictionaries would be more idiomatic.

    Change-Id: I70a12f934f84f57549617af28b86f7f5637bd8fa

commit 01f9d15045129d09...

Fix proposed to branch: feature/hummingbird
Review: https://review.openstack.org/236162

Reviewed: https://review.openstack.org/236162
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=18ddcaf0d6b67fcbb6b0a4cf4a9a99c72f6f3a08
Submitter: Jenkins
Branch: feature/hummingbird

commit a9ddc2d9ea402eaac7ccd8992387f77855968ab5
Author: Mahati Chamarthy <email address hidden>
Date: Fri Oct 16 18:18:33 2015 +0530

    Hyperlink fix to first contribution doc

    Change-Id: I19fc1abc89f888233b80a57c68a152c1c1758640

commit 83a1151d13e096b480aefe6ec18259f2d7d021db
Author: Pete Zaitcev <email address hidden>
Date: Fri Oct 9 16:45:20 2015 -0600

    Interpolate the explanation string not whole HTML body

    The only reason this exists is that I promised to do it.
    But in our case, there's no big advantage, and here's why.

    The general thinking goes that strings must be interpolated
    first because the body may contain a syntax that confuses the
    interpolation. So this patch makes the code "more correct".
    However, our HTML template is tightly controlled. It's not
    like it contains additional percents.

    So I'll just leave this here for now while I'm asking if
    the content type is set correctly.

    Change-Id: Ia18aeb0f94ef389f8b95450986a566e5fa06aa10

commit 384b91eb824376659989b904f9396cbf2e02d2bd
Author: asettle <email address hidden>
Date: Thu Sep 3 15:11:46 2015 +1000

    Moving DLO functionality doc to the middleware code

    This change moves the RST DLO documentation from
    statically inside overview_large_objects.rst and moves it
    to middleware/dlo.py.
    This is where all middleware RST documentation is defined.

    The overview_large_objects.rst is still the main page
    for information on large objects, so now dynamically
    points to both the DLO and SLO middleware RST
    documentation and the relevant middleware.rst page
    simply points to it.

    Change-Id: I40d918c8b7bc608ab945805d69fe359521df038a
    Closes-bug: #1276852

commit 2996974e5d48b4efaa1b271b8fbd0387bced7242
Author: Ondřej Nový <email address hidden>
Date: Sat Oct 10 14:56:30 2015 +0200

    Script for running unit, func and probe tests at once

    When developing Swift it's often needed to run all tests.
    This script makes it much simpler.

    Change-Id: I67e6f7cc05ebd0475001c1b56e8f6fd09c8c644f

commit c2182fd4163050a5f76eb3dedb7703dc821fa83d
Author: janonymous <email address hidden>
Date: Fri Jul 17 20:20:15 2015 +0530

    Python3: do not use im_self/im_func/func_closure

    Use __self__, __func__ and __closure__ instead, as they work
    with both Python 2 and 3.

    Modifying usage of __func__ in codebase.

    Change-Id: I57e907c28c1d4646605e70194ea3650806730b83

commit c0866ceaac2f69ae01345a795520141f59ec64f5
Author: Samuel Merritt <email address hidden>
Date: Fri Sep 25 17:26:37 2015 -0700

    Improve SLO PUT error checking

    This commit tries to give the user a reason that their SLO manifest
    was invalid instead of just saying "Invalid SLO Manifest File". It
    doesn't get every error condition, but it's better than before.

    Examples of things that now have real error...

This issue was fixed in the openstack/swift 2.5.0 release.