← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1933269] Re: Project admin gets treated as Global Admin with Secure RBAC

 

After discussing, the Vulnerability Management Team members have
concluded that the in-progress but incomplete RBAC implementation in
various projects does not rise to the level of requiring a published
security advisory, particularly as this work is likely to take place
primarily in development branches and not be backported to supported
stable branches. Some clearer documentation on behalf of the
implementing projects is likely warranted in order to warn users of the
caveats and potential pitfalls of relying on RBAC in its current state,
but that's separate from whether or not we publish advisories about any
fixes which may merge to complete the implementation.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

** Information type changed from Public Security to Public

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1933269

Title:
  Project admin gets treated as Global Admin with Secure RBAC

Status in Glance:
  New
Status in Glance wallaby series:
  New
Status in Glance xena series:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  User that has been assigned admin role within their project gets
  treated as de-fact admin in Glance even when project scoped "Secure
  RBAC" feature is enabled.

  Secure RBAC personas were introduced in Wallaby cycle creating project
  scope. If user is granted admin rights within the project scope based
  on the Secure RBAC roles model the user gets treated as admin in
  Glance.

  stack@ubnt-devstack:~/devstack$ openstack project create --enable
  privilege-test

  +-------------+----------------------------------+
  | Field       | Value                            |
  +-------------+----------------------------------+
  | description |                                  |
  | domain_id   | default                          |
  | enabled     | True                             |
  | id          | ed7b2d168e444122b9700701834e8d97 |
  | is_domain   | False                            |
  | name        | privilege-test                   |
  | options     | {}                               |
  | parent_id   | default                          |
  | tags        | []                               |
  +-------------+----------------------------------+
  NOTE THE PROJECT ID.

  stack@ubnt-devstack:~/devstack$ openstack user create --project
  privilege-test --password <SNIP> --email priv-test@xxxxxxxxxxx
  --ignore-change-password-upon-first-use --disable-multi-factor-auth
  --enable privtest

  +---------------------+-------------------------------------------------------------------------------------+
  | Field               | Value                                                                               |
  +---------------------+-------------------------------------------------------------------------------------+
  | default_project_id  | ed7b2d168e444122b9700701834e8d97                                                    |
  | domain_id           | default                                                                             |
  | email               | priv-test@xxxxxxxxxxx                                                               |
  | enabled             | True                                                                                |
  | id                  | eb0d6ce9c6bc42ee8962ad97849b38f7                                                    |
  | name                | privtest                                                                            |
  | options             | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
  | password_expires_at | None                                                                                |
  +---------------------+-------------------------------------------------------------------------------------+

  stack@ubnt-devstack:~/devstack$ openstack role add --project
  privilege-test --user privtest admin

  stack@ubnt-devstack:~/devstack$ openstack role assignment list --names

  +-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
  | Role        | User              | Group             | Project                    | Domain  | System | Inherited |
  +-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
  | admin       |                   | admins@Default    | admin@Default              |         |        | False     |
  | anotherrole | alt_demo@Default  |                   | alt_demo@Default           |         |        | False     |
  | member      | alt_demo@Default  |                   | alt_demo@Default           |         |        | False     |
  | anotherrole |                   | nonadmins@Default | alt_demo@Default           |         |        | False     |
  | member      |                   | nonadmins@Default | alt_demo@Default           |         |        | False     |
  | anotherrole |                   | nonadmins@Default | demo@Default               |         |        | False     |
  | member      |                   | nonadmins@Default | demo@Default               |         |        | False     |
  | admin       | nova@Default      |                   | service@Default            |         |        | False     |
  | service     | nova@Default      |                   | service@Default            |         |        | False     |
  | admin       | placement@Default |                   | service@Default            |         |        | False     |
  | service     | placement@Default |                   | service@Default            |         |        | False     |
  | service     | glance@Default    |                   | service@Default            |         |        | False     |
  | member      | demo@Default      |                   | invisible_to_admin@Default |         |        | False     |
  | anotherrole | demo@Default      |                   | demo@Default               |         |        | False     |
  | member      | demo@Default      |                   | demo@Default               |         |        | False     |
  | service     | cinder@Default    |                   | service@Default            |         |        | False     |
  | admin       | privtest@Default  |                   | privilege-test@Default     |         |        | False     |
  | service     | neutron@Default   |                   | service@Default            |         |        | False     |
  | admin       | admin@Default     |                   | admin@Default              |         |        | False     |
  | admin       | admin@Default     |                   | alt_demo@Default           |         |        | False     |
  | admin       | admin@Default     |                   | demo@Default               |         |        | False     |
  | admin       | admin@Default     |                   |                            | Default |        | False     |
  | admin       | admin@Default     |                   |                            |         | all    | False     |
  +-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
  NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project

  stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
  WARNING: setting legacy OS_TENANT_NAME to support cli tools.
  stack@ubnt-devstack:~/devstack$ env | grep OS_
  OS_REGION_NAME=RegionOne
  OS_PROJECT_DOMAIN_ID=default
  OS_CACERT=
  OS_AUTH_URL=http://172.24.1.39/identity
  OS_TENANT_NAME=privilege-test
  OS_USER_DOMAIN_ID=default
  OS_USERNAME=privtest
  OS_VOLUME_API_VERSION=3
  OS_AUTH_TYPE=password
  OS_PROJECT_NAME=privilege-test
  OS_PASSWORD=<SNIP>
  OS_IDENTITY_API_VERSION=3

  NOTE: Using the privtest:privilege-test user and project.

  stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
  +----------------------------------+----------------------------------------------------------------------------------+
  | Property                         | Value                                                                            |
  +----------------------------------+----------------------------------------------------------------------------------+
  | checksum                         | b874c39491a2377b8490f5f1e89761a4                                                 |
  | container_format                 | bare                                                                             |
  | created_at                       | 2021-06-22T18:34:43Z                                                             |
  | disk_format                      | qcow2                                                                            |
  | hw_rng_model                     | virtio                                                                           |
  | id                               | ca2eea09-77f5-4c21-bf32-e7774c4f6b70                                             |
  | min_disk                         | 0                                                                                |
  | min_ram                          | 0                                                                                |
  | name                             | cirros-0.5.2-x86_64-disk                                                         |
  | os_hash_algo                     | sha512                                                                           |
  | os_hash_value                    | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
  |                                  | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869                                 |
  | os_hidden                        | False                                                                            |
  | owner                            | 03ba31a4978e4654a3d185f55711586a                                                 |
  | owner_specified.openstack.md5    |                                                                                  |
  | owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk                                                  |
  | owner_specified.openstack.sha256 |                                                                                  |
  | protected                        | True                                                                             |
  | size                             | 16300544                                                                         |
  | status                           | active                                                                           |
  | tags                             | []                                                                               |
  | updated_at                       | 2021-06-22T19:00:53Z                                                             |
  | virtual_size                     | 117440512                                                                        |
  | visibility                       | public                                                                           |
  +----------------------------------+----------------------------------------------------------------------------------+
  stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
  +----------------------------------+----------------------------------------------------------------------------------+
  | Property                         | Value                                                                            |
  +----------------------------------+----------------------------------------------------------------------------------+
  | checksum                         | b874c39491a2377b8490f5f1e89761a4                                                 |
  | container_format                 | bare                                                                             |
  | created_at                       | 2021-06-22T18:34:43Z                                                             |
  | disk_format                      | qcow2                                                                            |
  | hw_rng_model                     | virtio                                                                           |
  | id                               | ca2eea09-77f5-4c21-bf32-e7774c4f6b70                                             |
  | min_disk                         | 0                                                                                |
  | min_ram                          | 0                                                                                |
  | name                             | cirros-0.5.2-x86_64-disk                                                         |
  | os_hash_algo                     | sha512                                                                           |
  | os_hash_value                    | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
  |                                  | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869                                 |
  | os_hidden                        | False                                                                            |
  | owner                            | 03ba31a4978e4654a3d185f55711586a                                                 |
  | owner_specified.openstack.md5    |                                                                                  |
  | owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk                                                  |
  | owner_specified.openstack.sha256 |                                                                                  |
  | protected                        | False                                                                            |
  | size                             | 16300544                                                                         |
  | status                           | active                                                                           |
  | tags                             | []                                                                               |
  | updated_at                       | 2021-06-22T19:49:01Z                                                             |
  | virtual_size                     | 117440512                                                                        |
  | visibility                       | public                                                                           |
  +----------------------------------+----------------------------------------------------------------------------------+

  The owner of the image is _NOT_ privilege-test project as one can
  compare the project id with the owner field.

  Any deployment utilizing Secure RBAC and assigning admin-role within
  any of the 3 scopes (Project, Domain or System) grants full admin
  privileges in Glance for that user.

  This behaviour is not just limited to Secure RBAC but carried over to
  it and more likely used.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1933269/+subscriptions