Bug 1314579 - User has escalated permissions (can create containers) in project where username == projectname
Summary: User has escalated permissions (can create containers) in project where usern...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-swift
Version: unspecified
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: 10.0 (Newton)
Assignee: Pete Zaitcev
QA Contact: Mike Abrams
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-04 00:23 UTC by Luiz Gustavo Chiaretto
Modified: 2016-12-14 15:25 UTC (History)
11 users (show)

Fixed In Version: puppet-swift-9.4.1-2.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-14 15:25:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 345029 0 None MERGED Deprecate is_admin option from Keystone mw config in Swift proxy 2020-03-13 03:44:47 UTC
RDO 1698 0 None None None 2016-07-20 20:32:09 UTC
Red Hat Product Errata RHEA-2016:2948 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC

Description Luiz Gustavo Chiaretto 2016-03-04 00:23:03 UTC 
Description of problem:

User with the same project name and ‘_member_’ role can create containers on Swift Object Storage. For example, if i have a project named ‘chiaretto’ and a user also named ‘chiaretto’ the user ‘chiaretto’ can access ‘Object Storage -> Containers’ on Horizon and create containers. If i change the project’s name to ‘chiaretto1’ the user chiaretto loses the create permission and the message ‘Error: Unable to create container.’ is shown on Horizon dashboard.

Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 7.2 (Maipo)
Openstack version 2015.1.2
Repo rhel-7-server-openstack-7.0-rpms/7Server/x86_64

How reproducible/Steps to Reproduce:

1. Install Openstack and enable modules below:

== Nova ==
== Glance ==
== Keystone ==
== Horizon ==
== Neutron ==
== Swift ==
== Cinder ==
== Ceilometer ==
== Heat ==

2. As 'admin' user create a project named 'chiaretto'
3. As 'admin' user create a user named 'chiaretto', project default 'chiaretto' and role '_member_'
4. Go to ‘Object Storage -> Containers’ and the button ‘Create Container’ is enabled and the user can create containers.

Actual results:

User with same name as it’s projects and ‘_member_’ role can create containers 

Expected results:

Users with roles ‘_member_’ cannot create containers. 

Does the user ‘chiaretto’ with role ‘_member_’ can create containers on ‘chiaretto’ project?
Comment 2 Christian Schwede (cschwede) 2016-07-21 09:10:32 UTC 
This behavior is expected with older Swift releases; it has been deprecated since 1.8.0 (Grizzly) and was removed in Mitaka: https://github.com/openstack/swift/commit/335d5861

In RDO, RHEL OSP and director the corresponding setting "is_admin" will be set to true. For reference: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/chapter-10-object-storage#idm140067302396848 Note that this defaults to False upstream only.
Comment 3 Pete Zaitcev 2016-09-15 21:56:48 UTC 
The report seemed so obvious that we forgot to verify if is_admin was
in fact set. Luiz, please attach the actual proxy-server.conf to this bug.
Comment 8 errata-xmlrpc 2016-12-14 15:25:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html
Note You need to log in before you can comment on or make changes to this bug.