OpenStack Compute (nova)

Flavor Extra Specs should require admin privileges by default

Bug #1094142 reported by Jay Pipes
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
li,chen
OpenStack Compute (nova) 2013.1 "grizzly"

Bug Description

Creating a new flavor requires admin credentials by default, however extra specs on flavors can be added/updated/deleted by a regular user.

The policy.json file I think needs to be updated to have the flavor extra specs API extension be admin_only by default.

Vish Ishaya (vishvananda)
Changed in nova:
importance: Undecided → High
tags: added: folsom-backport-potential
Jay Pipes (jaypipes)
Changed in nova:
assignee: nobody → Jay Pipes (jaypipes)
OpenStack Infra (hudson-openstack)
Changed in nova:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/18713
Committed: http://github.com/openstack/nova/commit/aee1253ce21fdb8bffac8c68e933910f1bf39dc7
Submitter: Jenkins
Branch: master

commit aee1253ce21fdb8bffac8c68e933910f1bf39dc7
Author: Jay Pipes <email address hidden>
Date: Fri Dec 28 06:25:19 2012 -0500

    CRUD on flavor extra spec extension should be admin-only

    Changes the default policy.json file to make the flavor extra
    spec create/update/delete operations admin-only, since the
    flavormanage extension is admin-only.

    fixes: lp bug #1094142

    Change-Id: Ic464b17130e76565a7c475e59064e3e3e8861327

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-2
status: Fix Committed → Fix Released
Rajalakshmi Ganesan (rajalakshmi-ganesan)
Changed in nova:
assignee: Jay Pipes (jaypipes) → Rajalakshmi Ganesan (rajalakshmi-ganesan)
Revision history for this message
Rajalakshmi Ganesan (rajalakshmi-ganesan) wrote :
Download full text (4.9 KiB)

The bug is still open, not released.
A user who does not have admin privileges is *not* allowed to perform "flavor manage". But he is still able to set "flavor extra spec".

> stack@new-vm:/opt/stack/devstack$ nova flavor-create test-1 123 512 1 1
> ERROR: Policy doesn't allow compute_extension:flavormanage to be performed. (HTTP 403) (Request-ID: req-e8236e5b-f51e-4f37-a2f8-0c875583e180)
> stack@new-vm:/opt/stack/devstack$ nova flavor-key 1 set spec2=spec2
> stack@new-vm:/opt/stack/devstack$

policy.json that my Devstack is using has the following code added:

 "compute_extension:flavorextraspecs:index": "",
 "compute_extension:flavorextraspecs:show": "",
 "compute_extension:flavorextraspecs:create": "rule:admin_api",
 "compute_extension:flavorextraspecs:update": "rule:admin_api",
 "compute_extension:flavorextraspecs:delete": "rule:admin_api",

Refer the pastebin :
http://pastebin.ubuntu.com/1540305/

Sequence of activities that I have performed in my Devstack machine:

root@new-vm:/opt/stack/nova/etc/nova# env | grep OS
OS_PASSWORD=Openstack1
OS_AUTH_URL=http://127.0.0.1:5000/v2.0
OS_USERNAME=admin
OS_TENANT_NAME=admin
OS_CACERT=/opt/stack/data/CA/int-ca/ca-chain.pem
OS_NO_CACHE=1
LESSCLOSE=/usr/bin/lesspipe %s %s
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-create test-flavor 123 512 1 1
+-----+-------------+-----------+------+-----------+------+-------+-------------+-----------+-------------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | extra_specs |
 +-----+-------------+-----------+------+-----------+------+-------+-------------+-----------+-------------+
| 123 | test-flavor | 512 | 1 | 0 | | 1 | 1.0 | True | {} |
 +-----+-------------+-----------+------+-----------+------+-------+-------------+-----------+-------------+
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-key 123 set key1=value1
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-show 123
+----------------------------+----------------------+
| Property | Value |
 +----------------------------+----------------------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 1 |
| extra_specs | {u'key1': u'value1'} |
| id | 123 |
| name | test-flavor |
| os-flavor-access:is_public | True |
| ram | 512 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
 +----------------------------+----------------------+
root@new-vm:/opt/stack/nova/etc/nova# export OS_USERNAME=demo
root@new-vm:/opt/stack/nova/etc/nova# export OS_TENANT_NAME=demo
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-create test-flavor2 333 512 1 1
ERROR: Policy doesn't allow compute_extension:flavormanage to be performed. (HTTP 403) (Request-ID: req-27ffd9b1-28a9-437b-b87b-bb2545a752a4)
root@new-vm:/opt/stack/nova/etc/nova# nova flav...

Read more...

Jay Pipes (jaypipes)
Changed in nova:
status: Fix Released → Confirmed
assignee: Rajalakshmi Ganesan (rajalakshmi-ganesan) → nobody
milestone: grizzly-2 → none
li,chen (chen-li)
Changed in nova:
assignee: nobody → li,chen (chen-li)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/20662

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

Could user access to those "flavor extra specs" be leveraged into some form of attack ? I'm trying to see if we should issue an after-the-fact security advisory for this thing.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/20662
Committed: http://github.com/openstack/nova/commit/7ba533f069aa95c73524f7f0a398a216dfbcdbb3
Submitter: Jenkins
Branch: master

commit 7ba533f069aa95c73524f7f0a398a216dfbcdbb3
Author: Li Chen <email address hidden>
Date: Fri Feb 1 17:32:26 2013 +0800

    Flavor Extra Specs should require admin privileges

    The previous fix added admin check in policy.json,
    but code still can't recorginize the detailed actions.

    This fix edited "authorize" function for flavor_extra_specs,
    to make sure it will check the admin privileges in policy.json.

    Also, together with the code, this fix edit old test case with admin privileges,
    and added new non-admin privileges test case.

    Fixes bug 1094142

    Change-Id: Ia286aedb4846383ad51bd54b0984dd1feddfbf81

Changed in nova:
status: In Progress → Fix Committed
Davanum Srinivas (DIMS) (dims-v)
tags: added: tempest
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.