yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #54663
[Bug 1609691] [NEW] Non-admin users can lists VM instances of other projects (tenants) by default
*** This bug is a security vulnerability ***
Public security bug reported:
Non-admin users can lists VM instances of other projects (tenants) by default.
They should not be able to see VM instances of other projects by default.
stack@devstack-master:/opt/devstack$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 33621006e3744ecea0b7090658601929 | alt_demo |
| 6773c471c311455d862ed22f685574b0 | admin |
| 850f809b7ee5469f8aa639b4717f58a5 | demo |
| 95a64b7c097e4b69bd8af9224f332cd6 | invisible_to_admin |
| c65ecc9a29e64e83bedf0609bb27266f | service |
+----------------------------------+--------------------+
stack@devstack-master:/opt/devstack$ openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 60066d4ac41a44d1ab6abea61809e78a | admin |
| 896d17cb7d0f49f585ce460f61f35a5a | demo |
| 6fcc02a6cfa64de097d15d2535d0108e | alt_demo |
| b703f8d08aae46e0bad0fe3022d13250 | nova |
| 205a38f88db84c13bb84274456da8b69 | glance |
| c2a64c7cffae430493dac9d8b4ef6470 | cinder |
| 5ad6f4ce7c64489e965d56eba081e2a9 | neutron |
| 2d16f7d5f324446dbfa30db2a04f9658 | heat |
+----------------------------------+----------+
stack@devstack-master:/opt/devstack$ openstack user role list --project admin admin
+----------------------------------+-------+---------+-------+
| ID | Name | Project | User |
+----------------------------------+-------+---------+-------+
| 915b08cc7e6b40ceb55a803e8a843d0d | admin | admin | admin |
+----------------------------------+-------+---------+-------+
stack@devstack-master:/opt/devstack$ openstack user role list --project demo demo
+----------------------------------+-------------+---------+------+
| ID | Name | Project | User |
+----------------------------------+-------------+---------+------+
| cf49079e087a4c61935bac9a5c6c224d | Member | demo | demo |
| 664e30492b954257ae579e8498c4fc78 | anotherrole | demo | demo |
+----------------------------------+-------------+---------+------+
Operated by admin:
stack@devstack-master:/opt/devstack$ nova show server1
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
(snipped...)
| OS-EXT-STS:vm_state | active |
(snipped...)
| id | 853d681b-de17-4fd3-bcd6-0f91d153ccd6 |
(snipped...)
| name | server1 |
(snipped...)
| tenant_id | 6773c471c311455d862ed22f685574b0 | * admin
| updated | 2016-08-04T08:09:49Z |
| user_id | 60066d4ac41a44d1ab6abea61809e78a | * admin
+--------------------------------------+----------------------------------------------------------------+
Operated by demo:
stack@devstack-master:/opt/devstack$ env | grep OS
(snipped...)
OS_USERNAME=demo
OS_TENANT_NAME=demo
(snipped...)
stack@devstack-master:/opt/devstack$ nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+
stack@devstack-master:/opt/devstack$ nova list --all-tenants
+--------------------------------------+---------+----------------------------------+--------+------------+-------------+--------------------------------+
| ID | Name | Tenant ID | Status | Task State | Power State | Networks |
+--------------------------------------+---------+----------------------------------+--------+------------+-------------+--------------------------------+
| 853d681b-de17-4fd3-bcd6-0f91d153ccd6 | server1 | 6773c471c311455d862ed22f685574b0 | ACTIVE | - | Running | public=2001:db8::4, 10.0.2.201 |
+--------------------------------------+---------+----------------------------------+--------+------------+-------------+--------------------------------+
[Environment]
OS: Ubuntu 14.04.1 LTS (64bit)
nova master(commit: 5d040245e750aab06c620344828c2182703515b7)
** Affects: nova
Importance: Undecided
Assignee: Takashi NATSUME (natsume-takashi)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1609691
Title:
Non-admin users can lists VM instances of other projects (tenants) by
default
Status in OpenStack Compute (nova):
New
Bug description:
Non-admin users can lists VM instances of other projects (tenants) by default.
They should not be able to see VM instances of other projects by default.
stack@devstack-master:/opt/devstack$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 33621006e3744ecea0b7090658601929 | alt_demo |
| 6773c471c311455d862ed22f685574b0 | admin |
| 850f809b7ee5469f8aa639b4717f58a5 | demo |
| 95a64b7c097e4b69bd8af9224f332cd6 | invisible_to_admin |
| c65ecc9a29e64e83bedf0609bb27266f | service |
+----------------------------------+--------------------+
stack@devstack-master:/opt/devstack$ openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 60066d4ac41a44d1ab6abea61809e78a | admin |
| 896d17cb7d0f49f585ce460f61f35a5a | demo |
| 6fcc02a6cfa64de097d15d2535d0108e | alt_demo |
| b703f8d08aae46e0bad0fe3022d13250 | nova |
| 205a38f88db84c13bb84274456da8b69 | glance |
| c2a64c7cffae430493dac9d8b4ef6470 | cinder |
| 5ad6f4ce7c64489e965d56eba081e2a9 | neutron |
| 2d16f7d5f324446dbfa30db2a04f9658 | heat |
+----------------------------------+----------+
stack@devstack-master:/opt/devstack$ openstack user role list --project admin admin
+----------------------------------+-------+---------+-------+
| ID | Name | Project | User |
+----------------------------------+-------+---------+-------+
| 915b08cc7e6b40ceb55a803e8a843d0d | admin | admin | admin |
+----------------------------------+-------+---------+-------+
stack@devstack-master:/opt/devstack$ openstack user role list --project demo demo
+----------------------------------+-------------+---------+------+
| ID | Name | Project | User |
+----------------------------------+-------------+---------+------+
| cf49079e087a4c61935bac9a5c6c224d | Member | demo | demo |
| 664e30492b954257ae579e8498c4fc78 | anotherrole | demo | demo |
+----------------------------------+-------------+---------+------+
Operated by admin:
stack@devstack-master:/opt/devstack$ nova show server1
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
(snipped...)
| OS-EXT-STS:vm_state | active |
(snipped...)
| id | 853d681b-de17-4fd3-bcd6-0f91d153ccd6 |
(snipped...)
| name | server1 |
(snipped...)
| tenant_id | 6773c471c311455d862ed22f685574b0 | * admin
| updated | 2016-08-04T08:09:49Z |
| user_id | 60066d4ac41a44d1ab6abea61809e78a | * admin
+--------------------------------------+----------------------------------------------------------------+
Operated by demo:
stack@devstack-master:/opt/devstack$ env | grep OS
(snipped...)
OS_USERNAME=demo
OS_TENANT_NAME=demo
(snipped...)
stack@devstack-master:/opt/devstack$ nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+
stack@devstack-master:/opt/devstack$ nova list --all-tenants
+--------------------------------------+---------+----------------------------------+--------+------------+-------------+--------------------------------+
| ID | Name | Tenant ID | Status | Task State | Power State | Networks |
+--------------------------------------+---------+----------------------------------+--------+------------+-------------+--------------------------------+
| 853d681b-de17-4fd3-bcd6-0f91d153ccd6 | server1 | 6773c471c311455d862ed22f685574b0 | ACTIVE | - | Running | public=2001:db8::4, 10.0.2.201 |
+--------------------------------------+---------+----------------------------------+--------+------------+-------------+--------------------------------+
[Environment]
OS: Ubuntu 14.04.1 LTS (64bit)
nova master(commit: 5d040245e750aab06c620344828c2182703515b7)
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1609691/+subscriptions
Follow ups
