yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #73973
[Bug 1779205] Re: [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)
Reviewed: https://review.openstack.org/585782
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=df5d75571ed274b2964ed52048768c6d9f24d138
Submitter: Zuul
Branch: master
commit df5d75571ed274b2964ed52048768c6d9f24d138
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Wed Jul 25 15:07:16 2018 +0000
Reduce duplication in federated auth APIs
The GET /v3/OS-FEDERATION/projects and GET /v3/OS-FEDERATION/domains
APIs were introduced to handle tokens from federated users, but now
that GET /v3/auth/projects and GET /v3/auth/domains know how to handle
federated tokens, they're just duplicate APIs.
In the past we deprecated these federated auth APIs, but they still
used separate code paths from GET /v3/auth/projects and GET
/v3/auth/domains. The two code paths are true duplication in that they
don't expect to differ over time and should provide the same user
experience.
Instead of running the risk that comes with two code paths that do the
same thing, we should consolidate them.
Co-Authored-By: Kristi Nikolla <kristi@xxxxxxxxxx>
Closes-Bug: 1779205
Change-Id: Ib906c42e1dd2c2408ccd2e256ffd876af02af3fe
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1779205
Title:
[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project
information (CVE-2018-14432)
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Fix Committed
Bug description:
The /v3/OS-FEDERATION/projects API was developed to let federated
users discover what projects they have access to. This mirrored a
similar API in keystone, v3/auth/projects. Both were intended to
behave the same way, by only returning what projects a user has a role
assignment on.
Eventually the /v3/OS-FEDERATION/projects API was deprecated after the
/v3/auth/projects API was able to support federated tokens.
The /v3/OS-FEDERATION/projects API appears to be broken because it
returns all projects in the deployment, not just the ones a user has
access to. The following recreates the issue:
lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml
clouds:
devstack:
auth:
auth_url: http://192.168.1.5/identity
password: nomoresecret
project_domain_id: default
project_name: demo
user_domain_id: default
username: demo
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '2'
devstack-admin:
auth:
auth_url: http://192.168.1.5/identity
password: nomoresecret
project_domain_id: default
project_name: admin
user_domain_id: default
username: admin
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '2'
devstack-alt:
auth:
auth_url: http://192.168.1.5/identity
password: nomoresecret
project_domain_id: default
project_name: alt_demo
user_domain_id: default
username: alt_demo
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '2'
lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin
+-------------+------------------+-------------------+----------------------------+---------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+-------------+------------------+-------------------+----------------------------+---------+-----------+
| member | | nonadmins@Default | demo@Default | | False |
| anotherrole | | nonadmins@Default | demo@Default | | False |
| member | | nonadmins@Default | alt_demo@Default | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | False |
| admin | | admins@Default | admin@Default | | False |
| admin | admin@Default | | demo@Default | | False |
| admin | admin@Default | | admin@Default | | False |
| admin | admin@Default | | alt_demo@Default | | False |
| admin | admin@Default | | | Default | False |
| member | demo@Default | | demo@Default | | False |
| anotherrole | demo@Default | | demo@Default | | False |
| member | demo@Default | | invisible_to_admin@Default | | False |
| member | alt_demo@Default | | alt_demo@Default | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | False |
| admin | admin@Default | | | | False |
+-------------+------------------+-------------------+----------------------------+---------+-----------+
lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-06-28T21:03:47+0000 |
| id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w |
| project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 |
| user_id | cef2773684114d55a6399e928ecc78e4 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-
uuESisyzj36w'
lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906
{
"links": {
"next": null,
"previous": null,
"self": "http://192.168.1.5/identity/v3/auth/projects";
},
"projects": [
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "44053df0d12f4ba0aa4c28c3364aa1a1",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1";
},
"name": "demo",
"parent_id": "default",
"tags": []
},
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "8c92de6ab3884f94b508ce2f2dd62c4d",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d";
},
"name": "invisible_to_admin",
"parent_id": "default",
"tags": []
}
]
}
lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638
{
"links": {
"next": null,
"previous": null,
"self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects";
},
"projects": [
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "44053df0d12f4ba0aa4c28c3364aa1a1",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1";
},
"name": "demo",
"parent_id": "default",
"tags": []
},
{
"description": "Bootstrap project for initializing the cloud.",
"domain_id": "default",
"enabled": true,
"id": "681b94352ed146b5ac37c152653e90d2",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2";
},
"name": "admin",
"parent_id": "default",
"tags": []
},
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "9a742b4684dc4c8a90dc4896f9ab178e",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e";
},
"name": "alt_demo",
"parent_id": "default",
"tags": []
},
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "8c92de6ab3884f94b508ce2f2dd62c4d",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d";
},
"name": "invisible_to_admin",
"parent_id": "default",
"tags": []
}
]
}
Notice that I used the devstack cloud config, which specifies the demo
user who only has the `member` and `anotherrole` assigned on two
projects (demo and invisible_to_admin). In no way should they have
access to view all projects in the deployment.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1779205/+subscriptions
