tripleo

Users created to support software deployments can view all resources in a stack

Bug #1309219 reported by Clint Byrum on 2014-04-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Invalid	Critical	Unassigned
	tripleo	Invalid	High	Unassigned

Bug Description

When using OS::Heat::AccessPolicy, one can restrict the access of a created user to a subset of resources. This helps to isolate security risks and prevent mistakes in configuration, as one compromise or misconfiguration of a particular resource will not yield access to a different, potentially more critical resource.

However, with OS::Heat::StructuredDeployment (and indeed, all deployments), the user created has unfettered access to read all of the resource metadata in the stack.

Clint Byrum (clint-fewbar) on 2014-04-17

Changed in tripleo:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2014-04-17:

Never mind.. I missed where the access controls are registered.

Changed in heat:
status:	Triaged → Invalid
Changed in tripleo:
status:	Triaged → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.