OpenStack Compute (nova)

Authorization header not validated against secret on objectstore

Bug #607512 reported by justinsb on 2010-07-20

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Soren Hansen

Bug Description

Currently nova/objectstore/handler.py does not actually check authorization.

There's a "# FIXME: check signature here!" around line 113

(Splitting this bug out from bug 607501)

Related branches

lp:~soren/nova/twisted-web-s3-server

Merged into lp:~hudson-openstack/nova/trunk at revision 175

Eric Day (community): Approve on 2010-07-26

Vish Ishaya (community): Approve on 2010-07-26

justinsb (justin-fathomdb) on 2010-07-20

visibility:

private → public

Revision history for this message

Soren Hansen (soren) wrote on 2010-07-20:

I'm wondering about this bug..

We clearly do check the signature in the line just above it, so what exactly is this comment referring to? Was the comment just not removed after it had been adressed or is it referring to an RBAC ACL check that needs to be added?

Revision history for this message

Vish Ishaya (vishvananda) wrote on 2010-07-20:

Actually no.

The last paramater passed to authenticate is False, which tells authenticate not to check the signature. The reason for this from the legacy code is that authenticate was constructed to verify aws signatures and unfortunately s3 uses a completely different method for signing requests. Authenticate returns the proper user and project but does NOT currently check the signature for objectstore requests.

Authorize may need to reworked a bit because it needs a little more data for the s3 version, like content-type and md5. Docs here:

http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html

justinsb (justin-fathomdb) on 2010-07-21

summary:

- Authorization not checked on objectstore
+ Authorization header not validated against secret on objectstore

Revision history for this message

Soren Hansen (soren) wrote on 2010-07-23:

I've just pushed my first revision of a fix for this. It's not ready for merge yet (I want to un-spaghettify it, possibly remove the dependency on boto and add unit tests), but I'm not feeling too good today, and will be away for the weekend, so I'd rather share it to avoid wasted effort for others.

Vish Ishaya (vishvananda) on 2010-07-27

Changed in nova:
assignee:	nobody → Soren Hansen (soren)
status:	New → Fix Committed
importance:	Undecided → Medium

Ewan Mellor (ewanmellor) on 2010-10-02

Changed in nova:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.