← Back to team overview

registry team mailing list archive

[Bug 644092] [NEW] authorization not checked in ec2 api

 

Public bug reported:

Users can see things they shouldn't be able to.

STEPS:

0) create two users a & b, NOT in the same project

1) start an instance as user a

2) get_console_output on user a's instance as user b

EXPECTED:

   the user should not get the output (user b should not be able to get
console output for instances they don't own)

ACTUAL:

   console output from instance is returned successfully

DETAILS:

for instance, get_console_output in cloud.py:

    def get_console_output(self, context, instance_id, **kwargs):
        instance_ref = db.instance_get_by_str(context, instance_id[0])
        return rpc.call('%s.%s' % (FLAGS.compute_topic,
                                   instance_ref['host']),
                        {"method": "get_console_output",
                         "args": {"context": None,
                                  "instance_id": instance_ref['id']}})

sends a context (which has the user/project) into the
instance_get_by_str function, but context is not used in the db layer to
determine if the user has access to the instance.

Similarly for all other data store objects.

PROPOSAL:

My thought is that the datalayer should only return objects that the
user is authorized to see.  If we check at the API layer instead of the
data access layer, we have the possibility of inconsistent rules for the
same data types as the API evolves.

** Affects: nova
     Importance: High
         Status: New

** Changed in: nova
   Importance: Undecided => High

** Changed in: nova
    Milestone: None => austin-feature-freeze

-- 
authorization not checked in ec2 api
https://bugs.launchpad.net/bugs/644092
You received this bug notification because you are a member of Registry
Administrators, which is subscribed to OpenStack.



Follow ups

References