Red Hat Bugzilla – Bug 1314579
User has escalated permissions (can create containers) in project where username == projectname
Last modified: 2016-12-14 10:25:22 EST
Description of problem:
User with the same project name and ‘_member_’ role can create containers on Swift Object Storage. For example, if i have a project named ‘chiaretto’ and a user also named ‘chiaretto’ the user ‘chiaretto’ can access ‘Object Storage -> Containers’ on Horizon and create containers. If i change the project’s name to ‘chiaretto1’ the user chiaretto loses the create permission and the message ‘Error: Unable to create container.’ is shown on Horizon dashboard.
Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 7.2 (Maipo)
Openstack version 2015.1.2
How reproducible/Steps to Reproduce:
1. Install Openstack and enable modules below:
== Nova ==
== Glance ==
== Keystone ==
== Horizon ==
== Neutron ==
== Swift ==
== Cinder ==
== Ceilometer ==
== Heat ==
2. As 'admin' user create a project named 'chiaretto'
3. As 'admin' user create a user named 'chiaretto', project default 'chiaretto' and role '_member_'
4. Go to ‘Object Storage -> Containers’ and the button ‘Create Container’ is enabled and the user can create containers.
User with same name as it’s projects and ‘_member_’ role can create containers
Users with roles ‘_member_’ cannot create containers.
Does the user ‘chiaretto’ with role ‘_member_’ can create containers on ‘chiaretto’ project?
This behavior is expected with older Swift releases; it has been deprecated since 1.8.0 (Grizzly) and was removed in Mitaka: https://github.com/openstack/swift/commit/335d5861
In RDO, RHEL OSP and director the corresponding setting "is_admin" will be set to true. For reference: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/chapter-10-object-storage#idm140067302396848 Note that this defaults to False upstream only.
The report seemed so obvious that we forgot to verify if is_admin was
in fact set. Luiz, please attach the actual proxy-server.conf to this bug.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.