yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #58990
[Bug 1644041] Re: heat_stack_owner users could see and delete other projects's heat stack
** Also affects: heat
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1644041
Title:
heat_stack_owner users could see and delete other projects's heat
stack
Status in heat:
New
Status in OpenStack Identity (keystone):
New
Bug description:
In a newton deployment we found that a heat_stack_ower user can delete
a heat stack from other projects
For example, we have two domain domain1 and domain2. In domain1 we
have project: project_domain1 which has user:user1, in domain2 we have
a project:project_domain2 which has a user:user2.
domain1->project_domain1->user1
domain2->project_domain2->user2
create stack1 using user1:
{code}
boston-citron:/opt/openstack # unset ${!OS_*}
boston-citron:/opt/openstack # export OS_PROJECT_DOMAIN_NAME=domain1
boston-citron:/opt/openstack # export OS_USER_DOMAIN_NAME=domain1
boston-citron:/opt/openstack # export OS_PROJECT_NAME=project_domain1
boston-citron:/opt/openstack # export OS_USERNAME=user1
boston-citron:/opt/openstack # export OS_PASSWORD=123
boston-citron:/opt/openstack # export OS_AUTH_URL="$(python -meci_python_libs.tools.get_keystone_private_endpoint_url)/v3"
boston-citron:/opt/openstack # export OS_IDENTITY_API_VERSION=3
boston-citron:/opt/openstack # openstack --insecure stack create stack1 -t word.yaml
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
+---------------------+--------------------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+--------------------------------------------------------------------------------------------------+
| id | e4f909a9-6e87-450a-9bbd-d2a24409367b |
| stack_name | stack1 |
| description | A simple Heat template that spins up a 3 Tier App with 1 Web Server, 1 App Server, |
| | and 1 DB Server on private networks and attaches them to security groups (HOT template in YAML). |
| | |
| creation_time | 2016-11-22T22:27:49Z |
| updated_time | None |
| stack_status | CREATE_IN_PROGRESS |
| stack_status_reason | |
+---------------------+--------------------------------------------------------------------------------------------------+
{code}
Then create stack2 using user2:
{code}
boston-citron:/opt/openstack # unset ${!OS_*}
boston-citron:/opt/openstack # export OS_PROJECT_DOMAIN_NAME=domain2
boston-citron:/opt/openstack # export OS_USER_DOMAIN_NAME=domain2
boston-citron:/opt/openstack # export OS_PROJECT_NAME=project_domain2
boston-citron:/opt/openstack # export OS_USERNAME=user2
boston-citron:/opt/openstack # export OS_PASSWORD=123
boston-citron:/opt/openstack # export OS_AUTH_URL="$(python -meci_python_libs.tools.get_keystone_private_endpoint_url)/v3"
boston-citron:/opt/openstack # export OS_IDENTITY_API_VERSION=3
boston-citron:/opt/openstack #
boston-citron:/opt/openstack #
boston-citron:/opt/openstack # openstack --insecure stack create stack2 -t word.yaml
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
+---------------------+--------------------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+--------------------------------------------------------------------------------------------------+
| id | b9476401-0da3-4c43-a0e4-3f8273a9e464 |
| stack_name | stack2 |
| description | A simple Heat template that spins up a 3 Tier App with 1 Web Server, 1 App Server, |
| | and 1 DB Server on private networks and attaches them to security groups (HOT template in YAML). |
| | |
| creation_time | 2016-11-22T22:28:07Z |
| updated_time | None |
| stack_status | CREATE_IN_PROGRESS |
| stack_status_reason | |
+---------------------+--------------------------------------------------------------------------------------------------+
{code}
Then user2 could list both stacks and can also delete stack1
{code}
boston-citron:/opt/openstack # openstack --insecure stack list
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
+--------------------------------------+------------+--------------------+----------------------+--------------+
| ID | Stack Name | Stack Status | Creation Time | Updated Time |
+--------------------------------------+------------+--------------------+----------------------+--------------+
| b9476401-0da3-4c43-a0e4-3f8273a9e464 | stack2 | CREATE_IN_PROGRESS | 2016-11-22T22:28:07Z | None |
| e4f909a9-6e87-450a-9bbd-d2a24409367b | stack1 | CREATE_IN_PROGRESS | 2016-11-22T22:27:49Z | None |
+--------------------------------------+------------+--------------------+----------------------+--------------+
boston-citron:/opt/openstack # openstack --insecure stack delete e4f909a9-6e87-450a-9bbd-d2a24409367b
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
Are you sure you want to delete this stack(s) [y/N]? y
boston-citron:/opt/openstack # openstack --insecure stack list
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
+--------------------------------------+------------+--------------------+----------------------+--------------+
| ID | Stack Name | Stack Status | Creation Time | Updated Time |
+--------------------------------------+------------+--------------------+----------------------+--------------+
| b9476401-0da3-4c43-a0e4-3f8273a9e464 | stack2 | CREATE_COMPLETE | 2016-11-22T22:28:07Z | None |
| e4f909a9-6e87-450a-9bbd-d2a24409367b | stack1 | DELETE_IN_PROGRESS | 2016-11-22T22:27:49Z | None |
+--------------------------------------+------------+--------------------+----------------------+--------------+
{code}
A user should never be able to delete a stack which belong to other
projects if it is not cloud admin. The situation that any
heat_stack_ower user can delete any stack from any project is very
dangerous.
To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1644041/+subscriptions
References
