Bug 1314579 - User has escalated permissions (can create containers) in project where username == projectname
User has escalated permissions (can create containers) in project where usern...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-swift (Show other bugs)
unspecified
x86_64 Linux
unspecified Severity low
: rc
: 10.0 (Newton)
Assigned To: Pete Zaitcev
Mike Abrams
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-03 19:23 EST by Luiz Gustavo Chiaretto
Modified: 2016-12-14 10:25 EST (History)
11 users (show)

See Also:
Fixed In Version: puppet-swift-9.4.1-2.el7ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-14 10:25:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 345029 None None None 2016-07-20 16:20 EDT
RDO 1698 None None None 2016-07-20 16:32 EDT

  None (edit)
Description Luiz Gustavo Chiaretto 2016-03-03 19:23:03 EST
Description of problem:

User with the same project name and ‘_member_’ role can create containers on Swift Object Storage. For example, if i have a project named ‘chiaretto’ and a user also named ‘chiaretto’ the user ‘chiaretto’ can access ‘Object Storage -> Containers’ on Horizon and create containers. If i change the project’s name to ‘chiaretto1’ the user chiaretto loses the create permission and the message ‘Error: Unable to create container.’ is shown on Horizon dashboard.

Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 7.2 (Maipo)
Openstack version 2015.1.2
Repo rhel-7-server-openstack-7.0-rpms/7Server/x86_64

How reproducible/Steps to Reproduce:

1. Install Openstack and enable modules below:

== Nova ==
== Glance ==
== Keystone ==
== Horizon ==
== Neutron ==
== Swift ==
== Cinder ==
== Ceilometer ==
== Heat ==

2. As 'admin' user create a project named 'chiaretto'
3. As 'admin' user create a user named 'chiaretto', project default 'chiaretto' and role '_member_'
4. Go to ‘Object Storage -> Containers’ and the button ‘Create Container’ is enabled and the user can create containers.

Actual results:

User with same name as it’s projects and ‘_member_’ role can create containers 

Expected results:

Users with roles ‘_member_’ cannot create containers. 

Does the user ‘chiaretto’ with role ‘_member_’ can create containers on ‘chiaretto’ project?
Comment 2 Christian Schwede (cschwede) 2016-07-21 05:10:32 EDT
This behavior is expected with older Swift releases; it has been deprecated since 1.8.0 (Grizzly) and was removed in Mitaka: https://github.com/openstack/swift/commit/335d5861

In RDO, RHEL OSP and director the corresponding setting "is_admin" will be set to true. For reference: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/chapter-10-object-storage#idm140067302396848 Note that this defaults to False upstream only.
Comment 3 Pete Zaitcev 2016-09-15 17:56:48 EDT
The report seemed so obvious that we forgot to verify if is_admin was
in fact set. Luiz, please attach the actual proxy-server.conf to this bug.
Comment 8 errata-xmlrpc 2016-12-14 10:25:22 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.