yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94693
[Bug 2069063] Re: EC2 credential management API does not respect project restriction in application credential
Thanks for the clarification Artem!
Based on that explanation, it seems like this does not meet our
definition of a security vulnerability, Class E in our taxonomy:
https://security.openstack.org/vmt-process.html#report-taxonomy
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2069063
Title:
EC2 credential management API does not respect project restriction in
application credential
Status in OpenStack Identity (keystone):
New
Status in OpenStack Security Advisory:
Invalid
Bug description:
Application credentials are documented as being project-specific. I
would expect that to mean that when authorizing with a set of app
credentials I can see resources for the associated project and ONLY
for the associated project.
Assuming that the above is correct, then there is an issue with
keystone not respecting project separation with application
credentials.
Here's an example: My user is a member of several projects, including
'testlabs' and 'admin-monitoring'. I have ec2 creds in each of those
two projects.
I've created application credentials for my user in the 'testlabs'
project:
$ openstack application credential list --user andrew
+----------------------------------+-----------------------+------------------+----------------------------------------------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+-----------------------+------------------+----------------------------------------------------+----------------------------+
| 2490791010414216ba68c1390cd6eb0f | andrew-testlabs | testlabs | member creds bound to testlabs project | 2024-08-01T00:00:00.000000 |
| 986f1e7d6f3f4673a4a1a976b1c44401 | andrewadminmonitoring | admin-monitoring | None | 2024-08-01T00:00:00.000000 |
+----------------------------------+-----------------------+------------------+----------------------------------------------------+----------------------------+
...and entered those creds (for 'testlabs') in clouds.yaml...
$ cat clouds.yaml
clouds:
andrewtestlabs:
auth:
auth_url: https://openstack.eqiad1.wikimediacloud.org:25000/v3
application_credential_id: "2490791010414216ba68c1390cd6eb0f"
application_credential_secret: "<redacted>"
region_name: "eqiad1-r"
interface: "public"
identity_api_version: 3
auth_type: "v3applicationcredential"
Now, using those app creds to list ec2 creds:
$ openstack ec2 credentials list --os-cloud andrewtestlabs
+----------------------------------+----------------------------------+------------------+---------+
| Access | Secret | Project ID | User ID |
+----------------------------------+----------------------------------+------------------+---------+
| 26b5cd7d4a8f4244838d977b12e187e6 | <redacted> | testlabs | andrew |
| ae92e03064c6473a8829f0b4578c9300 | <redacted> | admin-monitoring | andrew |
+----------------------------------+----------------------------------+------------------+---------+
...it just goes ahead and shows me the ec2 secret from another
project.
This is with keystone 24.0, version 'bobcat'.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2069063/+subscriptions
