yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1677723] Re: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1677723@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Apr 2017 15:32:52 -0000
Reply-to: Bug 1677723 <1677723@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/459742
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=53a4f33f8872b5bad05d26e63c323a31ad8189b4
Submitter: Jenkins
Branch:    master

commit 53a4f33f8872b5bad05d26e63c323a31ad8189b4
Author: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date:   Tue Apr 25 14:02:09 2017 +0000

    Adds OSSA-2017-004 (CVE-2017-2673)
    
    Change-Id: I8c1166125c7c1e206eefbe518be7bff3376c055c
    Closes-Bug: #1677723


** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1677723

Title:
  [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

Status in OpenStack Identity (keystone):
  Confirmed
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  Keystone stable/ocata. Federation is used with the following mapping:
  http://paste.openstack.org/show/ou0GTGp9fTQIzcHtixUU/ . As you can
  see, all users get a _member_ role, which has almost no permissions,
  and this role is granted for the newly-created project.

  User admin@Default, with role admin in project admin@Default wants to
  do something for project "Dev project for unpriveledged@xxxxxxxxxxxx".
  admin@Default assigns themselves role admin on the project  (openstack
  role assign --user admin --user-domain Default --project-id <id for
  Dev project for unprivileged@> admin)

  At this point, if federated user "unpriveledged@xxxxxxxxxxxx" gets a
  new token by going through federation and then scopes the token, they
  get a token with role admin. Here is an example of such token:
  http://paste.openstack.org/show/7vncdFywNmi6WZ9S7KXX/. In horizon it
  means they can see and do everything admin can do.

  There is no record about unprivileged user having role admin in the
  database. This assignment is not displayed in `openstack role
  assignment list`. The assignment only gets effective when a scoped
  token is requested.

  Workaround for the issue is to remove role admin from admin@Default on
  project "Dev project for unpriveledged@". Unprivileged user
  immediately loses admin privileges; the token is still valid, but
  there is no role "admin" in GET /v3/auth/tokens .

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1677723/+subscriptions