Public bug reported:
In a newton deployment we found that a heat_stack_ower user can delete a
heat stack from other projects
For example, we have two domain domain1 and domain2. In domain1 we have
project: project_domain1 which has user:user1, in domain2 we have a
project:project_domain2 which has a user:user2.
domain1->project_domain1->user1
domain2->project_domain2->user2
create stack1 using user1:
boston-citron:/opt/openstack # unset ${!OS_*}
boston-citron:/opt/openstack # export OS_PROJECT_DOMAIN_NAME=domain1
boston-citron:/opt/openstack # export OS_USER_DOMAIN_NAME=domain1
boston-citron:/opt/openstack # export OS_PROJECT_NAME=project_domain1
boston-citron:/opt/openstack # export OS_USERNAME=user1
boston-citron:/opt/openstack # export OS_PASSWORD=123
boston-citron:/opt/openstack # export OS_AUTH_URL="$(python
-meci_python_libs.tools.get_keystone_private_endpoint_url)/v3"
boston-citron:/opt/openstack # export OS_IDENTITY_API_VERSION=3
boston-citron:/opt/openstack # openstack --insecure stack create stack1 -t
word.yaml
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
+---------------------+--------------------------------------------------------------------------------------------------+
| Field | Value
|
+---------------------+--------------------------------------------------------------------------------------------------+
| id | e4f909a9-6e87-450a-9bbd-d2a24409367b
|
| stack_name | stack1
|
| description | A simple Heat template that spins up a 3 Tier App with
1 Web Server, 1 App Server, |
| | and 1 DB Server on private networks and attaches them
to security groups (HOT template in YAML). |
| |
|
| creation_time | 2016-11-22T22:27:49Z
|
| updated_time | None
|
| stack_status | CREATE_IN_PROGRESS
|
| stack_status_reason |
|
+---------------------+--------------------------------------------------------------------------------------------------+
Then create stack2 using user2:
boston-citron:/opt/openstack # unset ${!OS_*}
boston-citron:/opt/openstack # export OS_PROJECT_DOMAIN_NAME=domain2
boston-citron:/opt/openstack # export OS_USER_DOMAIN_NAME=domain2
boston-citron:/opt/openstack # export OS_PROJECT_NAME=project_domain2
boston-citron:/opt/openstack # export OS_USERNAME=user2
boston-citron:/opt/openstack # export OS_PASSWORD=123
boston-citron:/opt/openstack # export OS_AUTH_URL="$(python
-meci_python_libs.tools.get_keystone_private_endpoint_url)/v3"
boston-citron:/opt/openstack # export OS_IDENTITY_API_VERSION=3
boston-citron:/opt/openstack #
boston-citron:/opt/openstack #
boston-citron:/opt/openstack # openstack --insecure stack create stack2 -t
word.yaml
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
+---------------------+--------------------------------------------------------------------------------------------------+
| Field | Value
|
+---------------------+--------------------------------------------------------------------------------------------------+
| id | b9476401-0da3-4c43-a0e4-3f8273a9e464
|
| stack_name | stack2
|
| description | A simple Heat template that spins up a 3 Tier App with
1 Web Server, 1 App Server, |
| | and 1 DB Server on private networks and attaches them
to security groups (HOT template in YAML). |
| |
|
| creation_time | 2016-11-22T22:28:07Z
|
| updated_time | None
|
| stack_status | CREATE_IN_PROGRESS
|
| stack_status_reason |
|
+---------------------+--------------------------------------------------------------------------------------------------+
Then user2 could list both stacks and can also delete stack1
boston-citron:/opt/openstack # openstack --insecure stack list
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
+--------------------------------------+------------+--------------------+----------------------+--------------+
| ID | Stack Name | Stack Status |
Creation Time | Updated Time |
+--------------------------------------+------------+--------------------+----------------------+--------------+
| b9476401-0da3-4c43-a0e4-3f8273a9e464 | stack2 | CREATE_IN_PROGRESS |
2016-11-22T22:28:07Z | None |
| e4f909a9-6e87-450a-9bbd-d2a24409367b | stack1 | CREATE_IN_PROGRESS |
2016-11-22T22:27:49Z | None |
+--------------------------------------+------------+--------------------+----------------------+--------------+
boston-citron:/opt/openstack # openstack --insecure stack delete
e4f909a9-6e87-450a-9bbd-d2a24409367b
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
Are you sure you want to delete this stack(s) [y/N]? y
boston-citron:/opt/openstack # openstack --insecure stack list
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
+--------------------------------------+------------+--------------------+----------------------+--------------+
| ID | Stack Name | Stack Status |
Creation Time | Updated Time |
+--------------------------------------+------------+--------------------+----------------------+--------------+
| b9476401-0da3-4c43-a0e4-3f8273a9e464 | stack2 | CREATE_COMPLETE |
2016-11-22T22:28:07Z | None |
| e4f909a9-6e87-450a-9bbd-d2a24409367b | stack1 | DELETE_IN_PROGRESS |
2016-11-22T22:27:49Z | None |
+--------------------------------------+------------+--------------------+----------------------+--------------+
A user should never be able to delete a stack which belong to other
projects if it is not cloud admin. The situation that any
heat_stack_ower user can delete any stack from any project is very
dangerous.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1644040
Title:
heat_stack_owner users could see and delete other projects's heat
stack
Status in OpenStack Identity (keystone):
New
Bug description:
In a newton deployment we found that a heat_stack_ower user can delete
a heat stack from other projects
For example, we have two domain domain1 and domain2. In domain1 we
have project: project_domain1 which has user:user1, in domain2 we have
a project:project_domain2 which has a user:user2.
domain1->project_domain1->user1
domain2->project_domain2->user2
create stack1 using user1:
boston-citron:/opt/openstack # unset ${!OS_*}
boston-citron:/opt/openstack # export OS_PROJECT_DOMAIN_NAME=domain1
boston-citron:/opt/openstack # export OS_USER_DOMAIN_NAME=domain1
boston-citron:/opt/openstack # export OS_PROJECT_NAME=project_domain1
boston-citron:/opt/openstack # export OS_USERNAME=user1
boston-citron:/opt/openstack # export OS_PASSWORD=123
boston-citron:/opt/openstack # export OS_AUTH_URL="$(python
-meci_python_libs.tools.get_keystone_private_endpoint_url)/v3"
boston-citron:/opt/openstack # export OS_IDENTITY_API_VERSION=3
boston-citron:/opt/openstack # openstack --insecure stack create stack1 -t
word.yaml
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
+---------------------+--------------------------------------------------------------------------------------------------+
| Field | Value
|
+---------------------+--------------------------------------------------------------------------------------------------+
| id | e4f909a9-6e87-450a-9bbd-d2a24409367b
|
| stack_name | stack1
|
| description | A simple Heat template that spins up a 3 Tier App
with 1 Web Server, 1 App Server, |
| | and 1 DB Server on private networks and attaches them
to security groups (HOT template in YAML). |
| |
|
| creation_time | 2016-11-22T22:27:49Z
|
| updated_time | None
|
| stack_status | CREATE_IN_PROGRESS
|
| stack_status_reason |
|
+---------------------+--------------------------------------------------------------------------------------------------+
Then create stack2 using user2:
boston-citron:/opt/openstack # unset ${!OS_*}
boston-citron:/opt/openstack # export OS_PROJECT_DOMAIN_NAME=domain2
boston-citron:/opt/openstack # export OS_USER_DOMAIN_NAME=domain2
boston-citron:/opt/openstack # export OS_PROJECT_NAME=project_domain2
boston-citron:/opt/openstack # export OS_USERNAME=user2
boston-citron:/opt/openstack # export OS_PASSWORD=123
boston-citron:/opt/openstack # export OS_AUTH_URL="$(python
-meci_python_libs.tools.get_keystone_private_endpoint_url)/v3"
boston-citron:/opt/openstack # export OS_IDENTITY_API_VERSION=3
boston-citron:/opt/openstack #
boston-citron:/opt/openstack #
boston-citron:/opt/openstack # openstack --insecure stack create stack2 -t
word.yaml
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
+---------------------+--------------------------------------------------------------------------------------------------+
| Field | Value
|
+---------------------+--------------------------------------------------------------------------------------------------+
| id | b9476401-0da3-4c43-a0e4-3f8273a9e464
|
| stack_name | stack2
|
| description | A simple Heat template that spins up a 3 Tier App
with 1 Web Server, 1 App Server, |
| | and 1 DB Server on private networks and attaches them
to security groups (HOT template in YAML). |
| |
|
| creation_time | 2016-11-22T22:28:07Z
|
| updated_time | None
|
| stack_status | CREATE_IN_PROGRESS
|
| stack_status_reason |
|
+---------------------+--------------------------------------------------------------------------------------------------+
Then user2 could list both stacks and can also delete stack1
boston-citron:/opt/openstack # openstack --insecure stack list
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
+--------------------------------------+------------+--------------------+----------------------+--------------+
| ID | Stack Name | Stack Status |
Creation Time | Updated Time |
+--------------------------------------+------------+--------------------+----------------------+--------------+
| b9476401-0da3-4c43-a0e4-3f8273a9e464 | stack2 | CREATE_IN_PROGRESS |
2016-11-22T22:28:07Z | None |
| e4f909a9-6e87-450a-9bbd-d2a24409367b | stack1 | CREATE_IN_PROGRESS |
2016-11-22T22:27:49Z | None |
+--------------------------------------+------------+--------------------+----------------------+--------------+
boston-citron:/opt/openstack # openstack --insecure stack delete
e4f909a9-6e87-450a-9bbd-d2a24409367b
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
Are you sure you want to delete this stack(s) [y/N]? y
boston-citron:/opt/openstack # openstack --insecure stack list
WARNING: openstackclient.common.utils is deprecated and will be removed after
Jun 2017. Please use osc_lib.utils
+--------------------------------------+------------+--------------------+----------------------+--------------+
| ID | Stack Name | Stack Status |
Creation Time | Updated Time |
+--------------------------------------+------------+--------------------+----------------------+--------------+
| b9476401-0da3-4c43-a0e4-3f8273a9e464 | stack2 | CREATE_COMPLETE |
2016-11-22T22:28:07Z | None |
| e4f909a9-6e87-450a-9bbd-d2a24409367b | stack1 | DELETE_IN_PROGRESS |
2016-11-22T22:27:49Z | None |
+--------------------------------------+------------+--------------------+----------------------+--------------+
A user should never be able to delete a stack which belong to other
projects if it is not cloud admin. The situation that any
heat_stack_ower user can delete any stack from any project is very
dangerous.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1644040/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
