[OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token

Bug #1006815 reported by Jason Xu
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Critical
Dolph Mathews
Essex
Fix Released
Critical
Unassigned
OpenStack Security Advisory
Fix Released
Undecided
Russell Bryant
keystone (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate the authentication token before returning a response.

i.e. we can get the same result without a token in HTTP head.

Eg:
without a token
jason@ubuntu:~/project/keystone$ curl http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 72 100 72 0 0 308 0 --:--:-- --:--:-- --:--:-- 346
{
    "roles": [
        {
            "id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
            "name": "admin"
        }
    ]
}

with token
jason@ubuntu:~/project/keystone$ curl -H "X-Auth-Token:ecab59a3f4e2468b9934c24f8660a809" http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 72 100 72 0 0 242 0 --:--:-- --:--:-- --:--:-- 270
{
    "roles": [
        {
            "id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
            "name": "admin"
        }
    ]
}

What we expect:
without a token
jason@ubuntu:~/project/keystone$ curl http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 116 100 116 0 0 848 0 --:--:-- --:--:-- --:--:-- 1026
{
    "error": {
        "code": 401,
        "message": "The request you have made requires authentication.",
        "title": "Not Authorized"
    }
}

Attached is a diff of the changes.

Revision history for this message
Jason Xu (yinyangxu) wrote :
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Critical
milestone: none → folsom-2
status: New → Triaged
Revision history for this message
Dolph Mathews (dolph) wrote :

Confirmed; after using `keystone user-role-list`, I was able to list the same roles for the same user / tenant without providing an X-Auth-Token header at all: http://paste.openstack.org/raw/18323/

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: Triaged → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/8105

Changed in keystone:
status: Confirmed → In Progress
Alan Pevec (apevec)
tags: added: essex-backport
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/8105
Committed: http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb
Submitter: Jenkins
Branch: master

commit 868054992faa45d6f42d822bf1588cb88d7c9ccb
Author: Dolph Mathews <email address hidden>
Date: Sun Jun 3 12:24:07 2012 -0500

    Require authz for user role list (bug 1006815)

    Change-Id: I65f25dcca3e265f44746930917434b45e64de15e

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/9015

Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/essex)

Reviewed: https://review.openstack.org/9015
Committed: http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1
Submitter: Jenkins
Branch: stable/essex

commit 14b136aed9d988f5a8f3e699bd4577c9b874d6c1
Author: Dolph Mathews <email address hidden>
Date: Sun Jun 3 12:24:07 2012 -0500

    Require authz for user role list (bug 1006815)

    Change-Id: I65f25dcca3e265f44746930917434b45e64de15e

tags: added: in-stable-essex
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "keystone_tenant_api_bug.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Dave Walker (davewalker)
Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in keystone (Ubuntu Precise):
status: New → Confirmed
Revision history for this message
Adam Gandelman (gandelman-a) wrote : Verification report.

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Keystone has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Trunk review: https://review.openstack.org/8105
Stable review: https://review.openstack.org/9015

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Revision history for this message
Adam Gandelman (gandelman-a) wrote : Re: Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token

Test coverage log.

tags: added: verification-done
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote : Re: Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token

This bug was fixed in the package keystone - 2012.1+stable~20120824-a16a0ab9-0ubuntu2

---------------
keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2) precise-proposed; urgency=low

  * New upstream release (LP: #1041120):
    - debian/patches/0013-Flush-tenant-membership-deletion-before-user.patch:
      Dropped.
  * Resynchronize with stable/essex:
    - authenticate in ldap backend doesn't return a list of roles
      (LP: #1035428)
    - LDAP should not check username on "sn" field (LP: #997700)
    - Admin API doesn't valid token. (LP: #1006815, #1006822)
    - Memcache token backend eventually stops working. (LP: #1012381)
    - EC2 credentials not migrated from legacy (diablo) database. (LP: #1016056)
    - Deleting tenants or users does not cleanup metadata. (LP: #973243)
    - Deleting tenants does not cleanup its user associations. (LP: #974199)
    - TokenNotFound not raised in testsuite beacuse of timezone issues. (LP: #983800)
    - Token authentication for a user in a disabled tenant does not raise
      Unauthorized error. (LP: #988920)
    - export_legacy_catalog doesn't convert url names correctly. (LP: #994936)
    - Following a password compromise and subsequent password change,
      tokens remain valid. (LP: #996595)
    - Tokens remain valid after a user account is disabled. (LP: #997194)
 -- Adam Gandelman <email address hidden> Fri, 24 Aug 2012 03:34:59 -0400

Changed in keystone (Ubuntu Precise):
status: Confirmed → Fix Released
security vulnerability: no → yes
Thierry Carrez (ttx)
Changed in keystone:
milestone: folsom-2 → 2012.2
Revision history for this message
Russell Bryant (russellb) wrote :

Please review this vulnerability description. Once confirmed it will go out in an OSSA. This applies to this bug as well as bug 1006822.

Title: Some actions in Keystone admin API do not validate token
Impact: High
Reporter: Jason Xu
Products: Keystone
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone)

Description:
Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second was the ability to get, create, and delete services.

Revision history for this message
Joseph Heck (heckj) wrote :

russel - description is good, run with it.

description: updated
Revision history for this message
Thierry Carrez (ttx) wrote :

Description looks good to me.

Revision history for this message
Russell Bryant (russellb) wrote :
Thierry Carrez (ttx)
summary: - Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't
- validate token
+ [OSSA 2012-015] Admin API
+ /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token
Changed in ossa:
assignee: nobody → Russell Bryant (russellb)
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.