yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2121622] Re: Glance Service API policy rule does not check user 'service' role

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2121622@xxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Sep 2025 14:20:48 -0000
Reply-to: Bug 2121622 <2121622@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Reviewed:  https://review.opendev.org/c/openstack/glance/+/958715
Committed: https://opendev.org/openstack/glance/commit/301d8f580f4ce6a4f6089f877c0f200ff4ff633b
Submitter: "Zuul (22348)"
Branch:    master

commit 301d8f580f4ce6a4f6089f877c0f200ff4ff633b
Author: Ghanshyam Maan <gmaan@xxxxxxxxxxxxxxxxx>
Date:   Thu Aug 28 03:19:27 2025 +0000

    Fix glance service policy rule
    
    Glance service APIs are default to 'service_roles: service'
    
    - https://github.com/openstack/glance/blob/6c33a667a9f5ddce07b6131f4a5cb7460a4bdf17/glance/policies/base.py#L116
    
    The issue here is the service token, which is sent from the
    service for the user token expiry case but glance uses that
    service token (keystonemiddleware sets the service token roles
    in Requestcontext in 'service_roles' field) for RBAC, which
    is not correct.
    
    The OpenStack services communicate with each other by
    passing the user token and service token wrapped in
    keystoneauth's ServiceTokenAuthWrapper. The only purpose
    of passing the service token is for long-running
    operations and in case the user token gets expired.
    
    For RBAC, we need to check if a user token has the 'service'
    role or not. Service needs to load the configured user auth
    plugin (where the user should have the 'service' role) from
    keystoneauth and pass that to the other services (for example,
    cinder change depends-on) and glance will use that user role
    to verify the policy permission. To fix that, we need to make
    the service APIs default to ``role:service`` and not
    `service_role`:`service`.
    
    This commit does one more change. Cinder does not have the
    way to configure the glance service user, we are adding the
    new config in this release. For backward compatibility,
    we need to allow admin access in service policy rule. In
    future release (after one SLURP release), we cna remove
    the admin access.
    
    Closes-Bug: #2121622
    
    Co-Authored-By: : Sean Mooney <work@xxxxxxxxxxxxxxx>
    
    Change-Id: I50909e6bdb3227ca99b7eba642546da791f9552a
    Signed-off-by: Sean Mooney <work@xxxxxxxxxxxxxxx>
    Signed-off-by: Ghanshyam Maan <gmaan@xxxxxxxxxxxxxxxxx>


** Changed in: glance
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/2121622

Title:
  Glance Service API policy rule does not check user 'service' role

Status in Cinder:
  Fix Released
Status in Glance:
  Fix Released

Bug description:
  Glance service APIs are default to 'service_roles: service'

  -
  https://github.com/openstack/glance/blob/6c33a667a9f5ddce07b6131f4a5cb7460a4bdf17/glance/policies/base.py#L116

  The issue here is the service token, which is sent from the service
  for the user token expiry case but glance uses that service token
  (keystonemiddleware sets the service token roles in Requestcontext in
  'service_roles' field) for RBAC, which is not correct.

  Use case of service token for user token expiry:
  ------------------------------------------------

  This is a case where services call other services to complete the user
  operation. The user operation can be a long-runnning one, andthe  user
  token may expire while the operation is still in progress. For that
  Service Token concept was introduced. Service calling another service
  needs to send the Service Token along with User Token.
  Keystonmiddleware will check if the Service Token is present and
  valid, then, it will not fail the request, even User Token is expired.

  Use case of service APIs access control in RBAC:
  ------------------------------------------------

  For RBAC, Service needs to send external user token to another service
  for non-service APIs call and inteernal user token for service only
  APIs. INternal user token needs to load the configured user auth
  plugin (where the user should have the 'service' role) from
  keystoneauth and send that to the another services. Services always
  need to check if user token has 'service' role so that they can make
  sure service only APIs are called by service.

  
  Problem of using Service Token for RBAC:
  ----------------------------------------
  Service Token will always have the 'service_roles: service' and if service APIs policy rule check Service Token's service_roles which will always be 'service' and will make service APIs policy rule noop and expose them to users who should not have access to them.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2121622/+subscriptions
References

[Bug 2121622] [NEW] Glance Service API policy rule does not check user 'service' role
From: Ghanshyam Maan, 2025-08-28