yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #63162
[Bug 1682062] Re: Nova polcy allows all users with same tenant to delete/resize servers with all roles (viewer, non-admin roles)
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1682062
Title:
Nova polcy allows all users with same tenant to delete/resize servers
with all roles (viewer, non-admin roles)
Status in OpenStack Compute (nova):
New
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Nova policies mention the rule as "admin_or_owner" for critical
compute operations such as resize, update, create_server, reboot etc,
which basically should be allowed ONLY for ADMIN OR OWNER of the
server instance. But current nova policy allows all users
(irrespective of admin, viewer, member) to perform these operations.
For eg: If User1 (member user) creates an instance(eg test_server)
under demo tenant and User2 (viewer user) is able to resize
test_server or delete test_server, whereas User2 should be allowed to
ONLY VIEW test_server and not able to perform any operation.
Although Openstack users can update the custom policy.py/policy.json files, the naming convention is a misnomer as it says ADMIN_OR_OWNER which is a big security vulnerability. We need to change the default behavior of Nova operations to allow only following scenarios
1. ONLY Admin belonging to the tenant should create/update/resize/delete server instances
2. OWNER User who created the Instance should be able to create/update/resize/delete server instances.
Apart from above scenarios, we should not allow any other user to
perform such critical operations even as a default operation for NOVA.
stack@devstack:~/devstack$ nova show test_server_pk
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2017-04-12T08:42:59.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | |
| created | 2017-04-11T12:09:23Z |
| description | - |
| flavor | ds512M (d1) |
| hostId | 87b5e4756d250749a8c02c0afa91c37ae08654b85c3a46903767b78d |
| id | b209b443-0a94-407f-aa5b-a0ce8d426add |
| image | cirros-0.3.4-x86_64-uec (f4e982cb-5d76-4782-bf90-172a067fbf11) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | test_server_pk |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tags | [] |
| tenant_id | 12397ec84f3d44e5af23477be543f15b |
| updated | 2017-04-12T08:45:03Z |
| user_id | 6ef27d071a07425a8ff1219a2c2a24f2 |
+--------------------------------------+----------------------------------------------------------------+
stack@devstack:~/devstack$ openstack user list
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-d9a44a4d-9c62-489a-a4ed-7390e46cd829)
stack@devstack:~/devstack$ source openrc admin admin
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@devstack:~/devstack$ openstack user list
+----------------------------------+-------------------+
| ID | Name |
+----------------------------------+-------------------+
| 15c1c630f1d0455d8cdade9c70e4a9f0 | ceilometer |
| 16e6944172194270ae13c38e93d10b5b | demo |
| 1de8fc327f3945839aa1c1f716c33fbf | admin |
| 23cb3e28ab964f4196304986c5da43e8 | swiftusertest1 |
| 2a695267080c43578db917403cfbbdf6 | nova |
| 3192055e13874ec0a927b9cdf0fe5bf3 | demo_user |
| 3f3114983129485db853434e89b50309 | demo_user_new |
| 3f36399f685e4078b0b734d307c1b30a | swiftusertest2 |
| 40a08b905c6046f78f3851502890ff4b | swiftusertest4 |
| 4804abc26d9e4a29b4dfc1d537fa73ee | viewer_user |
| 4d221d452f504b388f5490a87aa85891 | glance-swift |
| 5d1e56209a7741f5b0d864e87d84239a | ember_user |
| 6a6fccb5425b4c7a963460ec6577beb3 | swiftusertest3 |
| 6e3092b9522749fd9523c79bf5c8f56c | alt_demo |
| 6ef27d071a07425a8ff1219a2c2a24f2 | demo_user_new3 |
| 76bfe0baf9054790a7731835cf1a5bbd | demo_user2 |
| 7d85098334254ba593bcb3400e876795 | neutron |
| 82b709e01fb14567adda7223cb6e8658 | placement |
| a1d944ba9866404f9b44887f23522a84 | swift |
| aeeb48f0c47f488fac6973678643efd9 | cinder |
| caad72ba1be14f25b81641ff5dbbb67d | glance |
| d3a825333ac243feaed0ffe4abccf37f | heat_domain_admin |
| d51513c584da48e8bf620d8d355732f0 | heat |
| fbd6b76a739b4d50a799e3832cdc06c2 | demo_user_new2 |
+----------------------------------+-------------------+
stack@devstack:~/devstack$ source openrc demo_user_new3 demo
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@devstack:~/devstack$ locate policy.py^C
stack@devstack:~/devstack$ ^C
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | ACTIVE | - | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$
stack@devstack:~/devstack$
stack@devstack:~/devstack$ source openrc demo_user_new2 demo
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | ACTIVE | - | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$
stack@devstack:~/devstack$
stack@devstack:~/devstack$
stack@devstack:~/devstack$ openstack server resize b209b443-0a94-407f-aa5b-a0ce8d426add --flavor d2
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | RESIZE | resize_migrating | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$ nova show b209b443-0a94-407f-aa5b-a0ce8d426add
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | resize_migrating |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2017-04-12T08:42:59.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | |
| created | 2017-04-11T12:09:23Z |
| description | - |
| flavor | ds512M (d1) |
| hostId | 87b5e4756d250749a8c02c0afa91c37ae08654b85c3a46903767b78d |
| id | b209b443-0a94-407f-aa5b-a0ce8d426add |
| image | cirros-0.3.4-x86_64-uec (f4e982cb-5d76-4782-bf90-172a067fbf11) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | test_server_pk |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
| progress | 0 |
| security_groups | default |
| status | RESIZE |
| tags | [] |
| tenant_id | 12397ec84f3d44e5af23477be543f15b |
| updated | 2017-04-12T08:58:10Z |
| user_id | 6ef27d071a07425a8ff1219a2c2a24f2 |
+--------------------------------------+----------------------------------------------------------------+
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | RESIZE | resize_migrating | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | RESIZE | resize_migrating | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | RESIZE | resize_migrating | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$
stack@devstack:~/devstack$
stack@devstack:~/devstack$
stack@devstack:~/devstack$
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | RESIZE | resize_migrating | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+--------+------------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+---------------+------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+---------------+------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | VERIFY_RESIZE | - | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+---------------+------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$ vi /opt/stack/nova/nova/policies/servers.py^C
stack@devstack:~/devstack$ ^C
stack@devstack:~/devstack$ ^C
stack@devstack:~/devstack$ openstack server resize b209b443-0a94-407f-aa5b-a0ce8d426add --confirm
stack@devstack:~/devstack$ nova list
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
| b209b443-0a94-407f-aa5b-a0ce8d426add | test_server_pk | ACTIVE | - | Running | private=10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
+--------------------------------------+----------------+--------+------------+-------------+---------------------------------------------------------+
stack@devstack:~/devstack$ nova show b209b443-0a94-407f-aa5b-a0ce8d426add
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2017-04-12T08:59:15.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | |
| created | 2017-04-11T12:09:23Z |
| description | - |
| flavor | ds1G (d2) |
| hostId | 87b5e4756d250749a8c02c0afa91c37ae08654b85c3a46903767b78d |
| id | b209b443-0a94-407f-aa5b-a0ce8d426add |
| image | cirros-0.3.4-x86_64-uec (f4e982cb-5d76-4782-bf90-172a067fbf11) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | test_server_pk |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.0.12, fdb6:b061:3dd9:0:f816:3eff:fe1f:dc0c |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tags | [] |
| tenant_id | 12397ec84f3d44e5af23477be543f15b |
| updated | 2017-04-12T08:59:48Z |
| user_id | 6ef27d071a07425a8ff1219a2c2a24f2 |
+--------------------------------------+----------------------------------------------------------------+
stack@devstack:~/devstack$ nova delete b209b443-0a94-407f-aa5b-a0ce8d426add
/usr/local/lib/python2.7/dist-packages/novaclient/client.py:278: UserWarning: The 'tenant_id' argument is deprecated in Ocata and its use may result in errors in future releases. As 'project_id' is provided, the 'tenant_id' argument will be ignored.
warnings.warn(msg)
Request to delete server b209b443-0a94-407f-aa5b-a0ce8d426add has been accepted.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1682062/+subscriptions
