← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1493448] Re: All operations are perfomed with admin priveleges when 'use_user_token' is False

 

This has been published as OSSN-0060:

  https://wiki.openstack.org/wiki/OSSN/OSSN-0060

** Changed in: ossn
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1493448

Title:
  All operations are perfomed with admin priveleges when
  'use_user_token' is False

Status in Glance:
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  In glance-api.conf we have a param called 'use_user_token' which is
  enabled by default. It was introduced to allow for reauthentication
  when tokens expire and prevents requests from silently failing.
  https://review.openstack.org/#/c/29967/

  Unfortunately disabling this parameter leads to security issues and
  allows a regular user to perform any operation with admin rights.

  Steps to reproduce on devstack:
  1. Change /etc/glance/glance-api.conf parameters and restart glance-api:
  # Pass the user's token through for API requests to the registry.
  # Default: True
  use_user_token = False

  # If 'use_user_token' is not in effect then admin credentials
  # can be specified. Requests to the registry on behalf of
  # the API will use these credentials.
  # Admin user name
  admin_user = glance
  # Admin password
  admin_password = nova
  # Admin tenant name
  admin_tenant_name = service
  # Keystone endpoint
  auth_url = http://127.0.0.1:5000/v2.0

  (for v2 api it's required to enable registry service, too: data_api =
  glance.db.registry.api)

  2. Create a private image with admin user:
  source openrc admin admin
  glance --os-image-api-version 1 image-create --name private --is-public False --disk-format qcow2 --container-format bare --file /etc/fstab
  +------------------+--------------------------------------+
  | Property         | Value                                |
  +------------------+--------------------------------------+
  | checksum         | e533283e6aac072533d1d091a7d2e413     |
  | container_format | bare                                 |
  | created_at       | 2015-09-01T22:17:25.000000           |
  | deleted          | False                                |
  | deleted_at       | None                                 |
  | disk_format      | qcow2                                |
  | id               | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
  | is_public        | False                                |
  | min_disk         | 0                                    |
  | min_ram          | 0                                    |
  | name             | private                              |
  | owner            | e1cec705e33b4dfaaece11b623f3c680     |
  | protected        | False                                |
  | size             | 616                                  |
  | status           | active                               |
  | updated_at       | 2015-09-01T22:17:27.000000           |
  | virtual_size     | None                                 |
  +------------------+--------------------------------------+

  3. Check the image list with admin user:
  glance --os-image-api-version 1 image-list
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
  | ID                                   | Name                            | Disk Format | Container Format | Size     | Status |
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
  | 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec         | ami         | ami              | 25165824 | active |
  | c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel  | aki         | aki              | 4979632  | active |
  | de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari         | ari              | 3740163  | active |
  | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private                         | qcow2       | bare             | 616      | active |
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+

  4. Enable demo user and get the image list:
  source openrc demo demo
  glance --os-image-api-version 1 image-list
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
  | ID                                   | Name                            | Disk Format | Container Format | Size     | Status |
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
  | 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec         | ami         | ami              | 25165824 | active |
  | c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel  | aki         | aki              | 4979632  | active |
  | de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari         | ari              | 3740163  | active |
  | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private                         | qcow2       | bare             | 616      | active |
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+

  5. Try to get access to admin's private image with demo user:

  glance --os-image-api-version 1 image-show private
  +------------------+--------------------------------------+
  | Property         | Value                                |
  +------------------+--------------------------------------+
  | checksum         | e533283e6aac072533d1d091a7d2e413     |
  | container_format | bare                                 |
  | created_at       | 2015-09-01T22:17:25.000000           |
  | deleted          | False                                |
  | disk_format      | qcow2                                |
  | id               | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
  | is_public        | False                                |
  | min_disk         | 0                                    |
  | min_ram          | 0                                    |
  | name             | private                              |
  | owner            | e1cec705e33b4dfaaece11b623f3c680     |
  | protected        | False                                |
  | size             | 616                                  |
  | status           | active                               |
  | updated_at       | 2015-09-01T22:17:27.000000           |
  +------------------+--------------------------------------+

  The same happens when demo user wants to create/update/delete any
  image. v2 with enabled registry backend is affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1493448/+subscriptions