Glance

Non-admin user can administer image cache

Bug #954608 reported by Brian Waldon on 2012-03-14

268

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	High	Brian Waldon	Glance 2012.1 "essex"

Bug Description

The glance-cache-manage binary can be operated by anyone with valid keystone credentials.

Using a vanilla devstack setup, here are the credentials I get:

OS_PASSWORD=secrete
OS_AUTH_URL=http://192.168.27.100:5000/v2.0
OS_USERNAME=demo
OS_TENANT_NAME=demo

With these creds, it appears I have full access to the cache management middleware through glance-cache-manage:

vagrant@devstack:~/devstack$ glance-cache-manage list-cached
Found 1 cached images...
ID Last Accessed (UTC) Last Modified (UTC) Size Hits
------------------------------------ ------------------- ------------------- -------------- ----------
38895dc9-1a15-4b4f-84e8-7312d963c5a2 0.0 1331683101.88 2254249 0

vagrant@devstack:~/devstack$ glance-cache-manage delete-cached-image 38895dc9-1a15-4b4f-84e8-7312d963c5a2
Delete cached image 38895dc9-1a15-4b4f-84e8-7312d963c5a2? [y/N] y

vagrant@devstack:~/devstack$ glance-cache-manage list-cached
No cached images.

This interface is designed to be used from remote hosts as well, so this creates a bit of a security issue. We should lock it down to just admins.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-03-14:

#1

Just so I understand the impact correctly: is the cache management middleware active by default (or set active in default config files) ? What versions of Glance are exposed to this ?

I targeted to rc1 -- but it will only show in the subscribed people's list until we make it public.

Anyone working on a fix ? Please do not push to public review until we decide this should not be embargoed and coordinated between downstream stakeholders.

Changed in glance:
importance:	Undecided → High
milestone:	none → essex-rc1
status:	New → Confirmed

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-03-14:

#2

Glance does not ship with it on in the example configs, and devstack does not set it up by default. Essex is definitely affected, and it looks like Diablo might be affected as well. The caching code was completely rewritten in Essex, so we would need to prepare two separate fixes. I do want to get this fixed for essex-rc1, not sure about Diablo.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-03-15:

#3

Adding markmc and daviey to discuss if that makes sense to embargo and fix it in Diablo. If for any reason (keystone not being in diablo, rarely-used middleware) we consider it should just be fixed in Essex, I think we can open this bug.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-03-15:

#4

In all cases, preparing an Essex fix and posting the patch here for pre-review can't hurt -- this definitely needs to be fixed before release.

Brian Waldon (bcwaldon) on 2012-03-15

Changed in glance:
assignee:	nobody → Brian Waldon (bcwaldon)
status:	Confirmed → In Progress

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-03-15:

#5

cachemanage-patch Edit (6.8 KiB, text/plain)

Ok, here's the patch I've come up with. It adds a new policy rule 'manage_image_cache' and defaults it to the 'admin' role.

Revision history for this message

Jay Pipes (jaypipes) wrote on 2012-03-15:

#6

I like the patch.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-03-16:

#7

@Russell, @Rob: your take on the risk ? Should we embargo this ? My vote would be to fix it directly in RC1.

Revision history for this message

Jay Pipes (jaypipes) wrote on 2012-03-16:

#8

I'd like to get this in ASAP...

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-03-16:

#9

Discussed with Russell: I think the impact is not that bad, the middleware is rarely used and this could be considered "working as advertised" if only we documented it. Let's fix it directly in RC1.

visibility:

private → public

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-16: Fix proposed to glance (master)

#10

Fix proposed to branch: master
Review: https://review.openstack.org/5467

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-17: Fix merged to glance (master)

#11

Reviewed: https://review.openstack.org/5467
Committed: http://github.com/openstack/glance/commit/9681f401307a3f625d15b61d61fd421c502bd9e5
Submitter: Jenkins
Branch: master

commit 9681f401307a3f625d15b61d61fd421c502bd9e5
Author: Brian Waldon <email address hidden>
Date: Thu Mar 15 11:17:31 2012 -0700

Add policy checks for cache manage middleware

    * Add checks for 'manage_image_cache' policy
    * Limit 'manage_image_cache' policy to 'admin' role by default
    * Fixes bug 954608

Change-Id: Ie8d79201f39db5a9d8dd0d943056e33dc8498c21

Changed in glance:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-03-21

Changed in glance:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in glance:
milestone:	essex-rc1 → 2012.1

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

cachemanage-patch Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.