We'll be switching this bug public shortly along with bug 1916926 under a single publication (OSSN-0088).
** Description changed: - This issue is being treated as a potential security risk under - embargo. Please do not make any public mention of embargoed - (private) security vulnerabilities before their coordinated - publication by the OpenStack Vulnerability Management Team in the - form of an official OpenStack Security Advisory. This includes - discussion of the bug or associated fixes in public forums such as - mailing lists, code review systems and bug trackers. Please also - avoid private disclosure to other individuals not already approved - for access to this information, and provide this same reminder to - those who are made aware of the issue prior to publication. All - discussion should remain confined to this private bug report, and - any proposed fixes should be added to the bug as attachments. This - embargo shall not extend past 2021-05-26 and will be made - public by or on that date even if no fix is identified. - - - As a user of a project, I can see resource types associated to private namespaces I don't have access to: + As a user of a project, I can see resource types associated to private + namespaces I don't have access to: ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ cat alicerc export OS_CACERT= export OS_PROJECT_NAME=separate export OS_USERNAME=alice export OS_PASSWORD=password export OS_REGION_NAME=RegionOne export OS_IDENTITY_API_VERSION=3 export OS_AUTH_TYPE=password export OS_AUTH_URL=http://192.168.1.155/identity export OS_USER_DOMAIN_ID=default export OS_PROJECT_DOMAIN_ID=default export OS_VOLUME_API_VERSION=3 ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ source alicerc ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-namespace-list +------------------------------------------+ | namespace | +------------------------------------------+ | OS::Software::DBMS | | CIM::ResourceAllocationSettingData | | OS::Compute::CPUPinning | | OS::Compute::Watchdog | | OS::Compute::GuestMemoryBacking | | OS::Compute::AggregateDiskFilter | | OS::Compute::RandomNumberGenerator | | OS::Compute::Hypervisor | | OS::Compute::AggregateIoOpsFilter | | OS::Compute::VirtCPUTopology | | OS::Compute::HostCapabilities | | CIM::ProcessorAllocationSettingData | | OS::Compute::GuestShutdownBehavior | | OS::Cinder::Volumetype | | OS::Software::WebServers | | OS::Compute::Libvirt | | OS::Compute::XenAPI | | OS::Compute::Quota | | OS::Compute::VMwareFlavor | | OS::Compute::VMwareQuotaFlavor | | OS::Compute::InstanceData | | OS::Compute::LibvirtImage | | OS::Compute::AggregateNumInstancesFilter | | OS::Glance::Signatures | | CIM::VirtualSystemSettingData | | CIM::StorageAllocationSettingData | | OS::Software::Runtimes | | OS::Compute::VMware | +------------------------------------------+ ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-namespace-create alice-namespace +------------+----------------------------------+ | Property | Value | +------------+----------------------------------+ | created_at | 2021-02-25T15:55:55Z | | namespace | alice-namespace | | owner | 67f1495e5dc145abbfa7059c63c6eda2 | | protected | False | | schema | /v2/schemas/metadefs/namespace | | updated_at | 2021-02-25T15:55:55Z | | visibility | private | +------------+----------------------------------+ ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-resource-type-associate --name alice-resource-type alice-namespace +------------+----------------------+ | Property | Value | +------------+----------------------+ | created_at | 2021-02-25T15:57:29Z | | name | alice-resource-type | | updated_at | 2021-02-25T15:57:29Z | +------------+----------------------+ Now as a separate user ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ source openrc demo demo is_service_enabled:29: command not found: set +o xtrace WARNING: setting legacy OS_TENANT_NAME to support cli tools. ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-resource-type-list +---------------------+ | name | +---------------------+ | OS::Glance::Image | | OS::Cinder::Volume | | OS::Nova::Server | | OS::Nova::Aggregate | | OS::Nova::Flavor | | OS::Trove::Instance | | bar | | test | | alice-resource-type | +---------------------+ ** Information type changed from Private Security to Public ** Summary changed: - Glance leaks resource types across namespaces + [OSSN-0088] Glance leaks resource types across namespaces ** Changed in: ossa Status: Incomplete => Won't Fix ** Also affects: ossn Importance: Undecided Status: New ** Changed in: ossn Importance: Undecided => Critical ** Changed in: ossn Status: New => Fix Released ** Changed in: ossn Assignee: (unassigned) => Abhishek Kekane (abhishek-kekane) ** Tags added: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1916922 Title: [OSSN-0088] Glance leaks resource types across namespaces Status in Glance: New Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: As a user of a project, I can see resource types associated to private namespaces I don't have access to: ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ cat alicerc export OS_CACERT= export OS_PROJECT_NAME=separate export OS_USERNAME=alice export OS_PASSWORD=password export OS_REGION_NAME=RegionOne export OS_IDENTITY_API_VERSION=3 export OS_AUTH_TYPE=password export OS_AUTH_URL=http://192.168.1.155/identity export OS_USER_DOMAIN_ID=default export OS_PROJECT_DOMAIN_ID=default export OS_VOLUME_API_VERSION=3 ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ source alicerc ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-namespace-list +------------------------------------------+ | namespace | +------------------------------------------+ | OS::Software::DBMS | | CIM::ResourceAllocationSettingData | | OS::Compute::CPUPinning | | OS::Compute::Watchdog | | OS::Compute::GuestMemoryBacking | | OS::Compute::AggregateDiskFilter | | OS::Compute::RandomNumberGenerator | | OS::Compute::Hypervisor | | OS::Compute::AggregateIoOpsFilter | | OS::Compute::VirtCPUTopology | | OS::Compute::HostCapabilities | | CIM::ProcessorAllocationSettingData | | OS::Compute::GuestShutdownBehavior | | OS::Cinder::Volumetype | | OS::Software::WebServers | | OS::Compute::Libvirt | | OS::Compute::XenAPI | | OS::Compute::Quota | | OS::Compute::VMwareFlavor | | OS::Compute::VMwareQuotaFlavor | | OS::Compute::InstanceData | | OS::Compute::LibvirtImage | | OS::Compute::AggregateNumInstancesFilter | | OS::Glance::Signatures | | CIM::VirtualSystemSettingData | | CIM::StorageAllocationSettingData | | OS::Software::Runtimes | | OS::Compute::VMware | +------------------------------------------+ ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-namespace-create alice-namespace +------------+----------------------------------+ | Property | Value | +------------+----------------------------------+ | created_at | 2021-02-25T15:55:55Z | | namespace | alice-namespace | | owner | 67f1495e5dc145abbfa7059c63c6eda2 | | protected | False | | schema | /v2/schemas/metadefs/namespace | | updated_at | 2021-02-25T15:55:55Z | | visibility | private | +------------+----------------------------------+ ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-resource-type-associate --name alice-resource-type alice-namespace +------------+----------------------+ | Property | Value | +------------+----------------------+ | created_at | 2021-02-25T15:57:29Z | | name | alice-resource-type | | updated_at | 2021-02-25T15:57:29Z | +------------+----------------------+ Now as a separate user ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ source openrc demo demo is_service_enabled:29: command not found: set +o xtrace WARNING: setting legacy OS_TENANT_NAME to support cli tools. ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-resource-type-list +---------------------+ | name | +---------------------+ | OS::Glance::Image | | OS::Cinder::Volume | | OS::Nova::Server | | OS::Nova::Aggregate | | OS::Nova::Flavor | | OS::Trove::Instance | | bar | | test | | alice-resource-type | +---------------------+ To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1916922/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp