2015-07-07 00:46:25 |
Anna Sortland |
bug |
|
|
added bug |
2015-07-07 00:48:54 |
Anna Sortland |
bug |
|
|
added subscriber Matthew Edmonds |
2015-07-07 00:49:09 |
Anna Sortland |
cinder: assignee |
|
Anna Sortland (annasort) |
|
2015-07-07 01:11:39 |
Jeremy Stanley |
description |
create() API in cinder/volume/api.py does not call decorator nor it calls check_policy unlike other APIs there. Instead, it does the authority check in cinder/volume/flows/api/create_volume.py by calling
flow_engine = create_volume.get_flow*
which happens after a number of error checks in the api.py itself.
It is better to do authority check right away. Otherwise, we are allowing some operations to proceed that user might not have authority to (e.g. we are disclosing information in error messages).
Jay mentioned that "for some reason it appears that create has never used the decorator function but it used to do a policy check early in the create function: (See line 111) https://review.openstack.org/#/c/29862/66/cinder/volume/api.py So, I think the problem goes back to commit e78ba969494560f99b75524304ed8ffea59db560 ."
We should change the code to use decorator for create() so that authority for create volume operation is checked right away. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
create() API in cinder/volume/api.py does not call decorator nor it calls check_policy unlike other APIs there. Instead, it does the authority check in cinder/volume/flows/api/create_volume.py by calling
flow_engine = create_volume.get_flow*
which happens after a number of error checks in the api.py itself.
It is better to do authority check right away. Otherwise, we are allowing some operations to proceed that user might not have authority to (e.g. we are disclosing information in error messages).
Jay mentioned that "for some reason it appears that create has never used the decorator function but it used to do a policy check early in the create function: (See line 111) https://review.openstack.org/#/c/29862/66/cinder/volume/api.py So, I think the problem goes back to commit e78ba969494560f99b75524304ed8ffea59db560 ."
We should change the code to use decorator for create() so that authority for create volume operation is checked right away. |
|
2015-07-07 01:12:12 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2015-07-07 01:12:35 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2015-07-07 01:13:12 |
Jeremy Stanley |
bug |
|
|
added subscriber Cinder Core security contacts |
2015-07-07 19:43:06 |
Tristan Cacqueray |
nominated for series |
|
cinder/liberty |
|
2015-07-07 19:43:06 |
Tristan Cacqueray |
nominated for series |
|
cinder/juno |
|
2015-07-07 19:43:06 |
Tristan Cacqueray |
nominated for series |
|
cinder/kilo |
|
2015-07-07 21:01:16 |
John Griffith |
bug task added |
|
cinder/juno |
|
2015-07-07 21:01:26 |
John Griffith |
bug task added |
|
cinder/kilo |
|
2015-07-07 21:01:39 |
John Griffith |
bug task added |
|
cinder/liberty |
|
2015-07-16 14:05:36 |
Grant Murphy |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
create() API in cinder/volume/api.py does not call decorator nor it calls check_policy unlike other APIs there. Instead, it does the authority check in cinder/volume/flows/api/create_volume.py by calling
flow_engine = create_volume.get_flow*
which happens after a number of error checks in the api.py itself.
It is better to do authority check right away. Otherwise, we are allowing some operations to proceed that user might not have authority to (e.g. we are disclosing information in error messages).
Jay mentioned that "for some reason it appears that create has never used the decorator function but it used to do a policy check early in the create function: (See line 111) https://review.openstack.org/#/c/29862/66/cinder/volume/api.py So, I think the problem goes back to commit e78ba969494560f99b75524304ed8ffea59db560 ."
We should change the code to use decorator for create() so that authority for create volume operation is checked right away. |
create() API in cinder/volume/api.py does not call decorator nor it calls check_policy unlike other APIs there. Instead, it does the authority check in cinder/volume/flows/api/create_volume.py by calling
flow_engine = create_volume.get_flow*
which happens after a number of error checks in the api.py itself.
It is better to do authority check right away. Otherwise, we are allowing some operations to proceed that user might not have authority to (e.g. we are disclosing information in error messages).
Jay mentioned that "for some reason it appears that create has never used the decorator function but it used to do a policy check early in the create function: (See line 111) https://review.openstack.org/#/c/29862/66/cinder/volume/api.py So, I think the problem goes back to commit e78ba969494560f99b75524304ed8ffea59db560 ."
We should change the code to use decorator for create() so that authority for create volume operation is checked right away. |
|
2015-07-16 14:05:59 |
Grant Murphy |
bug task deleted |
ossa |
|
|
2015-07-16 14:06:03 |
Grant Murphy |
information type |
Private Security |
Public |
|
2015-08-27 20:39:21 |
OpenStack Infra |
cinder: status |
New |
In Progress |
|
2015-09-02 16:05:14 |
OpenStack Infra |
cinder: status |
In Progress |
Fix Committed |
|
2015-09-03 14:44:59 |
Thierry Carrez |
cinder: status |
Fix Committed |
Fix Released |
|
2015-09-03 14:44:59 |
Thierry Carrez |
cinder: milestone |
|
liberty-3 |
|
2015-10-15 11:51:10 |
Thierry Carrez |
cinder: milestone |
liberty-3 |
7.0.0 |
|
2015-10-15 12:01:31 |
Thierry Carrez |
bug task deleted |
cinder/liberty |
|
|
2015-12-04 18:31:10 |
Eric Harney |
cinder/juno: status |
New |
Won't Fix |
|
2016-03-13 19:56:35 |
Sean McGinnis |
cinder/kilo: status |
New |
Won't Fix |
|