[openstack-dev] [Keystone] internalURL and adminURL of endpoints should not be visible to ordinary user

Fri, 28 Nov 2014 20:05:15 -0800 

Hello,

if an ordinary user sent a get-token request to KeyStone, internalURL and 
adminURL of endpoints will also be returned. It'll expose the internal high 
privilege access address and some internal network topology information to the 
ordinary user, and leads to the risk for malicious user to attack or hijack the 
system.

the request to get token for ordinary user:
curl -d '{"auth":{"passwordCredentials":{"username": "huawei", "password": 
"2014"},"tenantName":"huawei"}}' -H "Content-type: application/json" 
http://localhost:5000/v2.0/tokens

the response will include internalURL and adminURL of endpoints:
{"access": {"token": {"issued_at": "2014-11-27T02:30:59.218772", "expires": 
"2014-11-27T03:30:59Z", "id": "b8684d2b68ab49d5988da9197f38a878", "tenant": 
{"description": "normal Tenant", "enabled": true, "id": 
"7ed3351cd58349659f0bfae002f76a77", "name": "huawei"}, "audit_ids": 
["Ejn3BtaBTWSNtlj7beE9bQ"]}, "serviceCatalog": [{"endpoints": [{"adminURL": 
"http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77";, "region": 
"regionOne", "internalURL": 
"http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77";, "id": 
"170a3ae617a1462c81bffcbc658b7746", "publicURL": 
"http://10.67.148.27:8774/v2/7ed3351cd58349659f0bfae002f76a77"}], 
"endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": 
[{"adminURL": "http://10.67.148.27:9696";, "region": "regionOne", "internalURL": 
"http://10.67.148.27:9696";, "id": "7c0f28aa4710438bbd84fd25dbe4daa6", 
"publicURL": "http://10.67.148.27:9696"}], "endpoints_links": [], "type": 
"network", "name": "neutron"}, {"endpoints": [{"adminURL": "ht
 tp://10.67.148.27:9292", "region": "regionOne", "internalURL": 
"http://10.67.148.27:9292";, "id": "576f41fc8ef14b4f90e516bb45897491", 
"publicURL": "http://10.67.148.27:9292"}], "endpoints_links": [], "type": 
"image", "name": "glance"}, {"endpoints": [{"adminURL": 
"http://10.67.148.27:8777";, "region": "regionOne", "internalURL": 
"http://10.67.148.27:8777";, "id": "77d464e146f242aca3c50e10b6cfdaa0", 
"publicURL": "http://10.67.148.27:8777"}], "endpoints_links": [], "type": 
"metering", "name": "ceilometer"}, {"endpoints": [{"adminURL": 
"http://10.67.148.27:6385";, "region": "regionOne", "internalURL": 
"http://10.67.148.27:6385";, "id": "1b8177826e0c426fa73e5519c8386589", 
"publicURL": "http://10.67.148.27:6385"}], "endpoints_links": [], "type": 
"baremetal", "name": "ironic"}, {"endpoints": [{"adminURL": 
"http://10.67.148.27:35357/v2.0";, "region": "regionOne", "internalURL": 
"http://10.67.148.27:5000/v2.0";, "id": "435ae249fd2a427089cb4bf2e6c0b8e9", 
"publicURL": "http://10.67.148.27:5000/v2.0";
 }], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": 
{"username": "huawei", "roles_links": [], "id": 
"a88a40a635334e5da2ac3523d9780ed3", "roles": [{"name": "_member_"}], "name": 
"huawei"}, "metadata": {"is_admin": 0, "roles": 
["73b0a1ac6b0c48cb90205c53f2b9e48d"]}}}

At least, the internalURL and adminURL of endpoints should not be returned to 
ordinary users, only if the admin configured the policy to allow ordinary user 
has the right to see it.

Best Regards
Chaoyi Huang ( Joe Huang )


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to