yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1677723] Re: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1677723@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Apr 2017 16:40:22 -0000
Reply-to: Bug 1677723 <1677723@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/459705
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2139639eeabc8f6941f4461fc87d609cde3118c2
Submitter: Jenkins
Branch:    master

commit 2139639eeabc8f6941f4461fc87d609cde3118c2
Author: Boris Bobrov <breton@xxxxxxxxxxxxxxx>
Date:   Tue Apr 25 13:57:16 2017 +0000

    Do not fetch group assignments without groups
    
    Without the change, the method fetched all assignments for a project
    or domain, regardless of who has the assignment, user or group. This
    led to situation when federated user without groups could scope a token
    with other user's rules.
    
    Return empty list of assignments if no groups were passed.
    
    Closes-Bug: 1677723
    Change-Id: I65f5be915bef2f979e70b043bde27064e970349d


** Changed in: keystone
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1677723

Title:
  [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  Keystone stable/ocata. Federation is used with the following mapping:
  http://paste.openstack.org/show/ou0GTGp9fTQIzcHtixUU/ . As you can
  see, all users get a _member_ role, which has almost no permissions,
  and this role is granted for the newly-created project.

  User admin@Default, with role admin in project admin@Default wants to
  do something for project "Dev project for unpriveledged@xxxxxxxxxxxx".
  admin@Default assigns themselves role admin on the project  (openstack
  role assign --user admin --user-domain Default --project-id <id for
  Dev project for unprivileged@> admin)

  At this point, if federated user "unpriveledged@xxxxxxxxxxxx" gets a
  new token by going through federation and then scopes the token, they
  get a token with role admin. Here is an example of such token:
  http://paste.openstack.org/show/7vncdFywNmi6WZ9S7KXX/. In horizon it
  means they can see and do everything admin can do.

  There is no record about unprivileged user having role admin in the
  database. This assignment is not displayed in `openstack role
  assignment list`. The assignment only gets effective when a scoped
  token is requested.

  Workaround for the issue is to remove role admin from admin@Default on
  project "Dev project for unpriveledged@". Unprivileged user
  immediately loses admin privileges; the token is still valid, but
  there is no role "admin" in GET /v3/auth/tokens .

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1677723/+subscriptions