← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #62503

[Bug 1674464] Re: Non-admin user incorrectly allowed to perform port binding actions

  Thread PreviousDate PreviousThread Next 
** Information type changed from Private Security to Private

** Information type changed from Private to Public

** Changed in: ossa
       Status: Incomplete => Invalid

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  Currently, 4 policy actions, defined as admin_only, are capable of being
  executed by a non-admin user from the CLI.
  
  The following 4 policy actions that are not being enforced correctly are
  defined as follows:
  
  "get_port:binding:vif_type": "rule:admin_only",
  "get_port:binding:vif_details": "rule:admin_only",
  "get_port:binding:host_id": "rule:admin_only",
  "get_port:binding:profile": "rule:admin_only"
  
  Scenario:
  
  1) Remove/clear all Neutron logs, e.g. rm /opt/stack/logs/*
  2a) EXPORT OS_USERNAME=demo (where demo is a user without admin role)
  2b) (Export any other environment variables needed to authenticate against Keystone)
  3) Execute (from CLI): neutron port-show --field binding:profile --field name --field id 9ca15405-1406-4726-8440-86f7083b4395
  
  Expected:
  403 Forbidden error (or something else like 404 Not Found).
  
  Actual:
  This incorrectly shows up:
  +-------+--------------------------------------+
  | Field | Value                                |
  +-------+--------------------------------------+
  | id    | 9ca15405-1406-4726-8440-86f7083b4395 |
  | name  |                                      |
  +-------+--------------------------------------+
  
  In addition, opening q-svc.log shows the following DEBUG message:
  "Enforcing rules: ['get_port:binding:profile']".
  
  NOTE: It may take a few seconds for this line to appear in the logs
  (close and re-open if not there).
  
  This means that the policy action was enforced, but did not work as
  intended.
  
  This same scenario can be repeated for the 3 other policy actions.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1674464

Title:
  Non-admin user incorrectly allowed to perform port binding actions

Status in neutron:
  Incomplete
Status in OpenStack Security Advisory:
  Invalid

Bug description:
  Currently, 4 policy actions, defined as admin_only, are capable of
  being executed by a non-admin user from the CLI.

  The following 4 policy actions that are not being enforced correctly
  are defined as follows:

  "get_port:binding:vif_type": "rule:admin_only",
  "get_port:binding:vif_details": "rule:admin_only",
  "get_port:binding:host_id": "rule:admin_only",
  "get_port:binding:profile": "rule:admin_only"

  Scenario:

  1) Remove/clear all Neutron logs, e.g. rm /opt/stack/logs/*
  2a) EXPORT OS_USERNAME=demo (where demo is a user without admin role)
  2b) (Export any other environment variables needed to authenticate against Keystone)
  3) Execute (from CLI): neutron port-show --field binding:profile --field name --field id 9ca15405-1406-4726-8440-86f7083b4395

  Expected:
  403 Forbidden error (or something else like 404 Not Found).

  Actual:
  This incorrectly shows up:
  +-------+--------------------------------------+
  | Field | Value                                |
  +-------+--------------------------------------+
  | id    | 9ca15405-1406-4726-8440-86f7083b4395 |
  | name  |                                      |
  +-------+--------------------------------------+

  In addition, opening q-svc.log shows the following DEBUG message:
  "Enforcing rules: ['get_port:binding:profile']".

  NOTE: It may take a few seconds for this line to appear in the logs
  (close and re-open if not there).

  This means that the policy action was enforced, but did not work as
  intended.

  This same scenario can be repeated for the 3 other policy actions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1674464/+subscriptions
  Thread PreviousDate PreviousThread Next