[Bug 1477625] Re: DB access to show volumes may not be properly controlled

Hiroyuki Eguchi 1477625 at bugs.launchpad.net
Wed Sep 30 01:45:22 UTC 2015 

** Also affects: cinder (Ubuntu)
   Importance: Undecided
       Status: New

** No longer affects: cinder (Ubuntu)

** Tags added: kilo-backport-potential

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Ubuntu.
https://bugs.launchpad.net/bugs/1477625

Title:
  DB access to show volumes may not be properly controlled

Status in Cinder:
  Fix Released

Bug description:
  This bug was opened to note the fact that a user can show details for
  a volume they don't own in the case that they had the UUID of the
  volume:  https://launchpad.net/bugs/1475422  This was recreated in the
  following manner:

  When non-admin users know the volume uuid in the non-authorized
  tenant, they can get the volume information.

  % OS_USERNAME=admin OS_TENANT_NAME=admin cinder list
  +--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+
  | ID | Status | Name | Size | Volume Type | Bootable | Multiattach | Attached to |
  +--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+
  | 775fafb7-a2ee-497f-9b72-a5467f2cabd4 | available | a1 | 1 | lvmdriver-2 | false | False | |
  +--------------------------------------+-----------+------+------+-------------+----------+-------------+-------------+

  % OS_USERNAME=demo OS_TENANT_NAME=admin cinder list
  ERROR: User 3688045ce23b4859af1c4ede57d63d4d is unauthorized for tenant 0076ae66c26e4614b8de5d453289d2e5 (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-f293f1c8-0801-41b8-ae2a-c5a79ee2a43f)

  % OS_USERNAME=demo cinder show 775fafb7-a2ee-497f-9b72-a5467f2cabd4
  +---------------------------------------+--------------------------------------+
  | Property | Value |
  +---------------------------------------+--------------------------------------+
  | attachments | [] |
  | availability_zone | nova |
  | bootable | false |
  | consistencygroup_id | None |
  | created_at | 2015-07-14T21:28:40.000000 |
  | description | None |
  | encrypted | False |
  | id | 775fafb7-a2ee-497f-9b72-a5467f2cabd4 |
  | metadata | {} |
  | multiattach | False |
  | name | a1 |
  | os-vol-tenant-attr:tenant_id | 0076ae66c26e4614b8de5d453289d2e5 |
  | os-volume-replication:driver_data | None |
  | os-volume-replication:extended_status | None |
  | replication_status | disabled |
  | size | 1 |
  | snapshot_id | None |
  | source_volid | None |
  | status | available |
  | user_id | 030ccc6b1eb546598d8c13512b99ab97 |
  | volume_type | lvmdriver-2 |
  +---------------------------------------+--------------------------------------+

  In this example, demo user can get info of the "a1" volume in the "admin" tenant
  (tenant-id = 0076ae66c26e4614b8de5d453289d2e5) where demo user is not authorized to access.

  
  This problem can be circumvented by limiting the policy to 'rule:admin_or_owner' but we should investigate if there is a way to avoid this happening at the DB API level.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1477625/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list