The internal URL is used for more than just admin actions, and admin is no longer a global flag, so this restriction is not suitable.
Duncan Thomas On Nov 29, 2014 6:08 AM, "joehuang" <joehu...@huawei.com> wrote: > Hello, > > if an ordinary user sent a get-token request to KeyStone, internalURL and > adminURL of endpoints will also be returned. It'll expose the internal high > privilege access address and some internal network topology information to > the ordinary user, and leads to the risk for malicious user to attack or > hijack the system. > > the request to get token for ordinary user: > curl -d '{"auth":{"passwordCredentials":{"username": "huawei", "password": > "2014"},"tenantName":"huawei"}}' -H "Content-type: application/json" > http://localhost:5000/v2.0/tokens > > the response will include internalURL and adminURL of endpoints: > {"access": {"token": {"issued_at": "2014-11-27T02:30:59.218772", > "expires": "2014-11-27T03:30:59Z", "id": > "b8684d2b68ab49d5988da9197f38a878", "tenant": {"description": "normal > Tenant", "enabled": true, "id": "7ed3351cd58349659f0bfae002f76a77", "name": > "huawei"}, "audit_ids": ["Ejn3BtaBTWSNtlj7beE9bQ"]}, "serviceCatalog": > [{"endpoints": [{"adminURL": " > http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77", "region": > "regionOne", "internalURL": " > http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77", "id": > "170a3ae617a1462c81bffcbc658b7746", "publicURL": " > http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77"}], > "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": > [{"adminURL": "http://10.67.148.27:9696", "region": "regionOne", > "internalURL": "http://10.67.148.27:9696", "id": > "7c0f28aa4710438bbd84fd25dbe4daa6", "publicURL": "http://10.67.148.27:9696"}], > "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints": > [{"adminURL": "http://10.67.148.27:9292", "region": "regionOne", > "internalURL": "http://10.67.148.27:9292", "id": > "576f41fc8ef14b4f90e516bb45897491", "publicURL": "http://10.67.148.27:9292"}], > "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": > [{"adminURL": "http://10.67.148.27:8777", "region": "regionOne", > "internalURL": "http://10.67.148.27:8777", "id": > "77d464e146f242aca3c50e10b6cfdaa0", "publicURL": "http://10.67.148.27:8777"}], > "endpoints_links": [], "type": "metering", "name": "ceilometer"}, > {"endpoints": [{"adminURL": "http://10.67.148.27:6385", "region": > "regionOne", "internalURL": "http://10.67.148.27:6385", "id": > "1b8177826e0c426fa73e5519c8386589", "publicURL": "http://10.67.148.27:6385"}], > "endpoints_links": [], "type": "baremetal", "name": "ironic"}, > {"endpoints": [{"adminURL": "http://10.67.148.27:35357/v2.0", "region": > "regionOne", "internalURL": "http://10.67.148.27:5000/v2.0", "id": > "435ae249fd2a427089cb4bf2e6c0b8e9", "publicURL": " > http://10.67.148.27:5000/v2.0"}], "endpoints_links": [], "type": > "identity", "name": "keystone"}], "user": {"username": "huawei", > "roles_links": [], "id": "a88a40a635334e5da2ac3523d9780ed3", "roles": > [{"name": "_member_"}], "name": "huawei"}, "metadata": {"is_admin": 0, > "roles": ["73b0a1ac6b0c48cb90205c53f2b9e48d"]}}} > > At least, the internalURL and adminURL of endpoints should not be returned > to ordinary users, only if the admin configured the policy to allow > ordinary user has the right to see it. > > Best Regards > Chaoyi Huang ( Joe Huang ) > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev