yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #75412
[Bug 1799588] Re: non-admin users can see all tenants' images even when image is private
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.
** Information type changed from Public to Public Security
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1799588
Title:
non-admin users can see all tenants' images even when image is private
Status in Glance:
New
Status in OpenStack Security Advisory:
Incomplete
Bug description:
[root@vm013 glance]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@vm013 glance]# rpm -qa |grep glance |sort
openstack-glance-16.0.1-1.el7.noarch
openstack-glance-doc-16.0.1-1.el7.noarch
python2-glanceclient-2.10.0-1.el7.noarch
python2-glance-store-0.23.0-1.el7.noarch
python-glance-16.0.1-1.el7.noarch
python-glanceclient-doc-2.10.0-1.el7.noarch
[root@vm013 glance]# md5sum /etc/glance/policy.json
a4f29d0f75bbc04f1d83a1abdf0fda6f /etc/glance/policy.json
I am running only Glance v2 API.
In this demo, as an un-privileged user, I will list all glance images,
from all tenants, and they are all marked 'private'.
(as admin):
[root@vm013 ~]# openstack role assignment list --effective --names |grep jonathan
| user | jonathan@Default | | ozoneaq@ndc | | False |
(as jonathan):
[root@vm013 ~]# . keystonerc_jonathan
[root@vm013 ~]# printenv |grep OS_ |sort
OS_AUTH_URL=https://keystone.gpcprod:5000/v3
OS_CACERT=/etc/openldap/cacerts/gpcprod_root_ca.pem
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=XXXXXXXXXXXXXXXXXX
OS_PROJECT_DOMAIN_NAME=NDC
OS_PROJECT_NAME=ozoneaq
OS_USER_DOMAIN_NAME=Default
OS_USERNAME=jonathan
OS_VOLUME_API_VERSION=3
[root@vm013 ~]# openstack image list
+--------------------------------------+-----------------------------------+--------+
| ID | Name | Status |
+--------------------------------------+-----------------------------------+--------+
| 0099a343-1376-49f4-85f9-795624fb2ce8 | CentOS-7-x86_64-GenericCloud-1808 | active |
| 53d7c007-318b-4dad-b7cb-38b1dd31f884 | Ubuntu1604-180919 | active |
| 482f52ca-e56c-4555-a0e3-93eb491db389 | Ubuntu1604-20181016 | active |
| 212aaf3c-18f6-4327-8a11-c726c2e21780 | Ubuntu1804-20181016 | active |
| 051d2fff-6b90-4321-9c64-c613f0ddf3da | Windows2016Std-20181003r4 | active |
| ac6baa7c-fd2f-48e2-84e0-37a86f623e38 | Windows2016std-20181003r2 | active |
| 2264c6b9-40e7-492d-a5bc-dd11a7b4ee10 | Windows2016std-20181004 | active |
| 6d865748-ae7a-4c43-9d01-bc35c9002fd9 | Windows2016std-20181004r2 | active |
| 26ba1766-aa67-4b1b-81cd-90dda8d41384 | WindowsServer2016-20180926 | active |
| 3fc3c155-c7a2-4556-a5d0-de7eff208d7d | WindowsStd2016-20181010 | active |
| b6d161ca-e03b-46c5-95a0-5fe31723c5c7 | centos7-201810100 | active |
| 8bdc33be-1eb5-429b-b0ca-682b24df45f0 | centos7-gi-build-test1 | active |
| 34a915b8-cca6-45c3-9348-5e15dace444f | cirros | active |
| 84102d5c-1641-47bb-b727-a59e707e871c | keyshotslave-1604-snap2 | active |
| cedf9ae7-6adc-44d4-b7cb-d5664ea3fef0 | keyshotslave1604-snap1 | active |
| be4dbd67-d56f-41dd-8378-8aa6ca064f55 | mm-cirros-test | active |
| be67cf99-b545-4a91-a3d8-fe9f26a8854d | mm-cirros-test2 | active |
| a8dfd028-5911-4178-a77d-bb3da8996372 | mm-test-image4 | active |
| b6d9d44d-2e3c-48a9-9bf5-b6fca20979f9 | testt2-snap | active |
| 1c401eea-0e6e-475b-9a46-ffbfb388ca35 | ubuntu1804-180919 | active |
+--------------------------------------+-----------------------------------+--------+
[root@vm013 ~]# openstack image show cirros
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| checksum | 443b7623e27ecf03dc9e01ee93f67afe |
| container_format | bare |
| created_at | 2018-09-17T13:43:13Z |
| disk_format | raw |
| file | /v2/images/34a915b8-cca6-45c3-9348-5e15dace444f/file |
| id | 34a915b8-cca6-45c3-9348-5e15dace444f |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | 6e6d8ff081014c679f18ad4b818ffd4c |
| properties | direct_url='file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f', locations='[{u'url': u'file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f', u'metadata': {u'mountpoint': u'/var/lib/glance/images', u'type': u'nfs', u'id': u'gpc-b32-na-01', u'share_location': u'nfs://gpc-b32-na-01/glance'}}]' |
| protected | False |
| schema | /v2/schemas/image |
| size | 12716032 |
| status | active |
| tags | |
| updated_at | 2018-09-17T13:49:18Z |
| virtual_size | None |
| visibility | private |
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
So you can see that my un-privileged user jonathan (role:user) just displayed the private image 'cirros' from tenant 6e6d8ff081014c679f18ad4b818ffd4c. User 'jonathan' is not a member of that tenant.
(as admin):
[root@vm013 ~]# openstack project list |grep 6e6d8ff081014c679f18ad4b818ffd4c
| 6e6d8ff081014c679f18ad4b818ffd4c | gpcadm |
Perhaps even stranger, as my admin user (role:admin, in admin tenant), I cannot set the visibility of an image to 'public':
[root@vm013 ~]# openstack image set --public cirros
403 Forbidden: You are not authorized to complete publicize_image action. (HTTP 403)
My /etc/glance/policy.json is identical to the reference one, here:
https://raw.githubusercontent.com/openstack/glance/master/etc/policy.json
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1799588/+subscriptions
References
