yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85355
[Bug 1916922] Re: Glance leaks resource types across namespaces
We'll be switching this bug public shortly along with bug 1916926 under
a single publication (OSSN-0088).
** Description changed:
- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2021-05-26 and will be made
- public by or on that date even if no fix is identified.
-
-
- As a user of a project, I can see resource types associated to private namespaces I don't have access to:
+ As a user of a project, I can see resource types associated to private
+ namespaces I don't have access to:
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ cat alicerc
export OS_CACERT=
export OS_PROJECT_NAME=separate
export OS_USERNAME=alice
export OS_PASSWORD=password
export OS_REGION_NAME=RegionOne
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://192.168.1.155/identity
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_VOLUME_API_VERSION=3
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source alicerc
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-list
+------------------------------------------+
| namespace |
+------------------------------------------+
| OS::Software::DBMS |
| CIM::ResourceAllocationSettingData |
| OS::Compute::CPUPinning |
| OS::Compute::Watchdog |
| OS::Compute::GuestMemoryBacking |
| OS::Compute::AggregateDiskFilter |
| OS::Compute::RandomNumberGenerator |
| OS::Compute::Hypervisor |
| OS::Compute::AggregateIoOpsFilter |
| OS::Compute::VirtCPUTopology |
| OS::Compute::HostCapabilities |
| CIM::ProcessorAllocationSettingData |
| OS::Compute::GuestShutdownBehavior |
| OS::Cinder::Volumetype |
| OS::Software::WebServers |
| OS::Compute::Libvirt |
| OS::Compute::XenAPI |
| OS::Compute::Quota |
| OS::Compute::VMwareFlavor |
| OS::Compute::VMwareQuotaFlavor |
| OS::Compute::InstanceData |
| OS::Compute::LibvirtImage |
| OS::Compute::AggregateNumInstancesFilter |
| OS::Glance::Signatures |
| CIM::VirtualSystemSettingData |
| CIM::StorageAllocationSettingData |
| OS::Software::Runtimes |
| OS::Compute::VMware |
+------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-create alice-namespace
+------------+----------------------------------+
| Property | Value |
+------------+----------------------------------+
| created_at | 2021-02-25T15:55:55Z |
| namespace | alice-namespace |
| owner | 67f1495e5dc145abbfa7059c63c6eda2 |
| protected | False |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2021-02-25T15:55:55Z |
| visibility | private |
+------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-associate --name alice-resource-type alice-namespace
+------------+----------------------+
| Property | Value |
+------------+----------------------+
| created_at | 2021-02-25T15:57:29Z |
| name | alice-resource-type |
| updated_at | 2021-02-25T15:57:29Z |
+------------+----------------------+
Now as a separate user
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source openrc demo demo
is_service_enabled:29: command not found: set +o xtrace
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-list
+---------------------+
| name |
+---------------------+
| OS::Glance::Image |
| OS::Cinder::Volume |
| OS::Nova::Server |
| OS::Nova::Aggregate |
| OS::Nova::Flavor |
| OS::Trove::Instance |
| bar |
| test |
| alice-resource-type |
+---------------------+
** Information type changed from Private Security to Public
** Summary changed:
- Glance leaks resource types across namespaces
+ [OSSN-0088] Glance leaks resource types across namespaces
** Changed in: ossa
Status: Incomplete => Won't Fix
** Also affects: ossn
Importance: Undecided
Status: New
** Changed in: ossn
Importance: Undecided => Critical
** Changed in: ossn
Status: New => Fix Released
** Changed in: ossn
Assignee: (unassigned) => Abhishek Kekane (abhishek-kekane)
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1916922
Title:
[OSSN-0088] Glance leaks resource types across namespaces
Status in Glance:
New
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
As a user of a project, I can see resource types associated to private
namespaces I don't have access to:
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ cat alicerc
export OS_CACERT=
export OS_PROJECT_NAME=separate
export OS_USERNAME=alice
export OS_PASSWORD=password
export OS_REGION_NAME=RegionOne
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://192.168.1.155/identity
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_VOLUME_API_VERSION=3
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source alicerc
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-list
+------------------------------------------+
| namespace |
+------------------------------------------+
| OS::Software::DBMS |
| CIM::ResourceAllocationSettingData |
| OS::Compute::CPUPinning |
| OS::Compute::Watchdog |
| OS::Compute::GuestMemoryBacking |
| OS::Compute::AggregateDiskFilter |
| OS::Compute::RandomNumberGenerator |
| OS::Compute::Hypervisor |
| OS::Compute::AggregateIoOpsFilter |
| OS::Compute::VirtCPUTopology |
| OS::Compute::HostCapabilities |
| CIM::ProcessorAllocationSettingData |
| OS::Compute::GuestShutdownBehavior |
| OS::Cinder::Volumetype |
| OS::Software::WebServers |
| OS::Compute::Libvirt |
| OS::Compute::XenAPI |
| OS::Compute::Quota |
| OS::Compute::VMwareFlavor |
| OS::Compute::VMwareQuotaFlavor |
| OS::Compute::InstanceData |
| OS::Compute::LibvirtImage |
| OS::Compute::AggregateNumInstancesFilter |
| OS::Glance::Signatures |
| CIM::VirtualSystemSettingData |
| CIM::StorageAllocationSettingData |
| OS::Software::Runtimes |
| OS::Compute::VMware |
+------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-create alice-namespace
+------------+----------------------------------+
| Property | Value |
+------------+----------------------------------+
| created_at | 2021-02-25T15:55:55Z |
| namespace | alice-namespace |
| owner | 67f1495e5dc145abbfa7059c63c6eda2 |
| protected | False |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2021-02-25T15:55:55Z |
| visibility | private |
+------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-associate --name alice-resource-type alice-namespace
+------------+----------------------+
| Property | Value |
+------------+----------------------+
| created_at | 2021-02-25T15:57:29Z |
| name | alice-resource-type |
| updated_at | 2021-02-25T15:57:29Z |
+------------+----------------------+
Now as a separate user
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source openrc demo demo
is_service_enabled:29: command not found: set +o xtrace
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-list
+---------------------+
| name |
+---------------------+
| OS::Glance::Image |
| OS::Cinder::Volume |
| OS::Nova::Server |
| OS::Nova::Aggregate |
| OS::Nova::Flavor |
| OS::Trove::Instance |
| bar |
| test |
| alice-resource-type |
+---------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1916922/+subscriptions
