registry team mailing list archive
-
registry team
-
Mailing list archive
-
Message #19530
[Bug 644092] [NEW] authorization not checked in ec2 api
Public bug reported:
Users can see things they shouldn't be able to.
STEPS:
0) create two users a & b, NOT in the same project
1) start an instance as user a
2) get_console_output on user a's instance as user b
EXPECTED:
the user should not get the output (user b should not be able to get
console output for instances they don't own)
ACTUAL:
console output from instance is returned successfully
DETAILS:
for instance, get_console_output in cloud.py:
def get_console_output(self, context, instance_id, **kwargs):
instance_ref = db.instance_get_by_str(context, instance_id[0])
return rpc.call('%s.%s' % (FLAGS.compute_topic,
instance_ref['host']),
{"method": "get_console_output",
"args": {"context": None,
"instance_id": instance_ref['id']}})
sends a context (which has the user/project) into the
instance_get_by_str function, but context is not used in the db layer to
determine if the user has access to the instance.
Similarly for all other data store objects.
PROPOSAL:
My thought is that the datalayer should only return objects that the
user is authorized to see. If we check at the API layer instead of the
data access layer, we have the possibility of inconsistent rules for the
same data types as the API evolves.
** Affects: nova
Importance: High
Status: New
** Changed in: nova
Importance: Undecided => High
** Changed in: nova
Milestone: None => austin-feature-freeze
--
authorization not checked in ec2 api
https://bugs.launchpad.net/bugs/644092
You received this bug notification because you are a member of Registry
Administrators, which is subscribed to OpenStack.
Follow ups
References