python-cinderclient

cinder backup-list is always listing all tenants's bug for admin

Bug #1422046 reported by wuyuting on 2015-02-15

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
OpenStack Dashboard (Horizon)	Won't Fix	Undecided	Unassigned
OpenStack Security Advisory	Won't Fix	Undecided	Unassigned
ospurge	Fix Released	Undecided	Yves-Gwenael Bourhis
python-cinderclient	Fix Released	Low	Yuriy Nesenenko	python-cinderclient 1.4.0 "1.4.0"
python-cinderclient (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

cinder backup-list doesn't support '--all-tenants' argument for admin wright now. This lead to admin always getting all tenants's backups.

Tags:

wuyuting (wytdahu) on 2015-02-15

Changed in python-cinderclient:
assignee:	nobody → wuyuting (wytdahu)

Revision history for this message

rajiv (rajiv-kumar) wrote on 2015-03-22:

I want to work on this bug. If you are not working please let me know.

Mike Perez (thingee) on 2015-04-24

Changed in python-cinderclient:
assignee:	wuyuting (wytdahu) → nobody
importance:	Undecided → Low
status:	New → Triaged

Revision history for this message

David Cheperdak (djbchepe) wrote on 2015-05-16:

Does this still need to be fixed?

Yuriy Nesenenko (ynesenenko) on 2015-07-29

Changed in python-cinderclient:
assignee:	nobody → Yuriy Nesenenko (ynesenenko)

Yuriy Nesenenko (ynesenenko) on 2015-07-29

Changed in python-cinderclient:
status:	Triaged → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-30: Fix proposed to python-cinderclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/207469

Changed in python-cinderclient:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-19: Fix merged to python-cinderclient (master)

Reviewed: https://review.openstack.org/207469
Committed: https://git.openstack.org/cgit/openstack/python-cinderclient/commit/?id=8cc3ee2782260498cfb3d36f5469e7086b4fe6f5
Submitter: Jenkins
Branch: master

commit 8cc3ee2782260498cfb3d36f5469e7086b4fe6f5
Author: Yuriy Nesenenko <email address hidden>
Date: Thu Jul 30 16:57:39 2015 +0300

Add support '--all-tenants' for cinder backup-list

Also added support '--name', '--status', '--volume-id' arguments
for cinder backup-list.

    DocImpact
    Closes-Bug: #1422046
    Depends On: I73f6377c7d6fd92d0464d13f9c8dd6682fef78e3
    Change-Id: I5f2ab6370a8333a9ee498c6158037b0433f36a23

Changed in python-cinderclient:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-09-11

Changed in python-cinderclient:
milestone:	none → 1.4.0
status:	Fix Committed → Fix Released

Yves-Gwenael Bourhis (yves-gwenael-bourhis) on 2015-09-22

Changed in python-cinderclient (Ubuntu):
status:	New → Confirmed

Revision history for this message

Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote on 2015-09-22:

ospurge is afected by this bug, the risk is deleting backup volumes of the entire production instead of a unique tenant:
https://bugs.launchpad.net/ospurge/+bug/1498533

Changed in ospurge:
status:	New → Confirmed
assignee:	nobody → Yves-Gwenael Bourhis (yves-gwenael-bourhis)

Revision history for this message

Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote on 2015-09-22:

There is a potential risk of deleting all volume backups of a production system with ospurge and python-cinderclient < 1.4.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-25: Fix proposed to ospurge (master)

Fix proposed to branch: master
Review: https://review.openstack.org/227911

Changed in ospurge:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-07: Fix merged to ospurge (master)

Reviewed: https://review.openstack.org/227911
Committed: https://git.openstack.org/cgit/stackforge/ospurge/commit/?id=b97992d5099ce8aa9371a5b78461d11faacbea5a
Submitter: Jenkins
Branch: master

commit b97992d5099ce8aa9371a5b78461d11faacbea5a
Author: Yves-Gwenael Bourhis <email address hidden>
Date: Fri Sep 25 17:23:06 2015 +0200

Do not list cinder backups as admin with cinderclient<1.4.0

    Due to the following bug:
    https://bugs.launchpad.net/python-cinderclient/+bug/1422046
    We do not attempt to list cinder backups as admin if cinderclient's version is
    lower than 1.4.0

Change-Id: I570971391cff80e1d6a484c330e80f901f5210b3
Closes-Bug: #1422046

Changed in ospurge:
status:	In Progress → Fix Committed

Revision history for this message

Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote on 2015-10-27:

Horizon is affected because as long as cinderclient <1.4.0, if the user is logged in with admin permissions, the user lists all cinderbackup resources instead of the ones of his own tenant, with the reisk of tampering with ressources from another tenant/user.

Revision history for this message

Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote on 2015-10-27:

#10

This can be a security issue, because openstack admins may not be aware that they are seeing other users' cinder backup ressources and can delete them.

information type:

Public → Public Security

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-10-28:

#11

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-11-09:

#12

It looks like bug 1514396 has been opened for the same issue in the V1 API.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-11-09:

#13

While I agree there is a non-negligible risk presented by this behavior, I don't see how a malicious actor could use this flaw to their advantage. As such, it doesn't seem like something for which the OpenStack Vulnerability Management Team would issue an official security advisory.

Revision history for this message

Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote on 2015-11-09:

#14

Indeed, I agree that there is no risk for a "malicious actor" to use this flow.
However there is a confirmed risk that an openstack admin can accidentally delete backups which he should not delete (and it DID happen, sadly...), when the admin is asked to launch scripts (ospurge) used to delete resources of customers who want to remove all their data...

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-11-09:

#15

Sounds like we're agreed that this report concerns a serious bug with security implications (insofar as any means of accidentally destroying your environment is), but is not an exploitable vulnerability, does not need a CVE assignment requested by the VMT and won't lead to any official security advisory publication.

Revision history for this message

Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote on 2015-11-10:

#16

Sure, I completely agree with that.

There should be a way to differentiate security issues in terms of "vulnerability" (which is not the case here) and security issues in terms of "risks of destroying data" due to a bug (which is the case here).

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-11-10:

#17

Correct, we consider that latter case a "security hardening opportunity" and I'm triaging this report as one now (class D in our taxonomy https://security.openstack.org/vmt-process.html#incident-report-taxonomy ). Depending on severity and available time from editors in the Security Team, these sorts of issues sometimes get an OpenStack Security Note published (OSSN rather than OSSA).

Changed in ossa:
status:	Incomplete → Won't Fix
information type:	Public Security → Public
tags:	added: security

Revision history for this message

Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote on 2015-11-10:

#18

Thanks a lot Jeremy for the the link and clarification.

Chuck Short (zulcss) on 2016-10-20

Changed in python-cinderclient (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix included in openstack/python-cinderclient 1.4.0

#19

This issue was fixed in the openstack/python-cinderclient 1.4.0 release.

Jordan Pittier (jordan-pittier) on 2017-09-14

Changed in ospurge:
status:	Fix Committed → Fix Released

Revision history for this message

Gary W. Smith (gary-w-smith) wrote on 2017-09-14:

#20

Closing the horizon portion of this bug since it is now
outside of the support window.

Changed in horizon:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1498533

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.