1380780 – Problems with auth based on group membership

Bug 1380780 - Problems with auth based on group membership

Summary: Problems with auth based on group membership

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	BLL.Virt
Sub Component:
Version:	4.0.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	ovirt-4.0.5
Target Release:	4.0.5.2
Assignee:	Martin Perina
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-30 14:24 UTC by Anton
Modified:	2017-01-18 07:38 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-01-18 07:38:55 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	oourfali: ovirt-4.0.z? rule-engine: planning_ack? oourfali: devel_ack+ pnovotny: testing_ack+

Attachments	(Terms of Use)
screen1 (70.10 KB, image/png) 2016-09-30 14:24 UTC, Anton	no flags	Details
screen2 (127.16 KB, image/png) 2016-09-30 14:25 UTC, Anton	no flags	Details
ui.log (4.49 KB, text/plain) 2016-09-30 14:25 UTC, Anton	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	65405	master	MERGED	aaa: Assign unique id to each logged in user	2016-10-12 21:17:03 UTC
oVirt gerrit	65429	ovirt-engine-4.0	MERGED	aaa: Assign unique id to each logged in user	2016-10-14 08:29:12 UTC
oVirt gerrit	65460	ovirt-engine-4.0.5	MERGED	aaa: Assign unique id to each logged in user	2016-10-17 09:01:55 UTC

Description Anton 2016-09-30 14:24:13 UTC

Created attachment 1206298 [details]
screen1

Description problem: 

We have two critical problems 

A. Authentication to UserPortal based on group membership (local, ActiveDirectory) allow to get access to VMs of other groups , if members of different user groups connected to UserPortal simultaneously.
B. If User connected to UserPortal ( based on group membership) with extended permission (create objects) and create VM , then this VM gets permission with "empty" owner  and "UserVmManager" Role. And after that every domain user can login to UserPortal and get access to object with "empty" permission and can create new objects based on "UserVmManager" Role.

Version-Release number of selected component (if applicable): oVirt 4.0.3

How reproducible:
always . 
The problem reproduces with ActiveDirectory (AD) groups and local groups. 
I suppose that problem also can be reproduced with other Directory services (we did't check all of them)
I should notice that the problems are not reproduced if use Users instead of Groups.

Steps to Reproduce:

Initial settings:

1. Local user with Super permission - admin (local)
2. AD group "ovirt_admins" 
3. AD user  "virtadmin"  member of "ovirt_admins"
4. AD groups  "ovirt_group_01" and  "ovirt_group_02". 
5. AD user "ovirt01"  member of "ovirt_group_01" only
6. AD user "ovirt02"  member of "ovirt_group_02" only
6. AD user "testuser" - usual user with default permissions (domain users)


Actions:

1. Create System Permissions based on "ovirt_admins" group with role SuperUser
2. Login to AdminPortal by "virtadmin" and create few VMs : VM1 and VM2 
3. Assign permissions to these VMs on VM level : 
   - VM1 allow "ovirt_group_01" with "UserRole" role
   - VM2 allow "ovirt_group_02" with "UserRole" role
4. Connect to UserPortal by ovirt01 and can see VM1 . keep this session.
5. Open other browser (or from other host) and connect to userPortal by ovirt02 . I can see  VM1 and VM2 !!!! Also "ovirt02" user  can manage of both VMs with "UserRole" permission. 
6. Do refresh of "ovirt01" session, after that I  also can see VM1 and VM2 !!!
7. Do logoff of "ovirt2" session. Look at the "ovirt1" session - "ovirt1" can see only VM1 .
8. Create new VM3 by "virtadmin" with permission:  VM3 allow "ovirt_group_01" with "UserRole" role
9. Login to UserPortal by "ovirt2"  and  again each user can see/manage by VMs of other user: ovirt1 can see VM1/VM2/VM3 ; ovirt2 can see VM1/VM2/VM3
10. Try connect to UserPortal by "testuser" - disallow .
11. Add "virtadmin" to  "ovirt_group_01" group in AD
12. Login to UserPortal by "virtadmin" , it gets extended portal options . Create VM4 using this options from UserPortal 
13. Look at the permission of VM4 . It has permission with empty owner and "UserVmManager" Role. 
14. Try login to UserPortal by "testuser" - allow !!!!  Now this user has access to VM4 and can create new objects using Extended portal . This means any domain user have the same permissions.
15. Login to AdminPortal using local "admin" and try to remove "empty" permission from VM4 - gets error (look at the screen) . Also I attached error from ui.log

Also I noticed next strange behavior : 
1. Login to AdminPortal using local "admin" 
2. Set limited admin role permission to VM ( VM level - lower level of permission hierarchy) for example "AuditLogManager" role for "Everyone" user.
3. Create new AD user without any permission , for example  user2
4. Connect to AdminPortal by "user2" - allow !!! Now this user can see all Admin objects. 

Actual results:

1. User that connected to UserPortal simultaneously (based on group auth) can see VMs of other users , even they have not permission to see these VMs.
2. If appear problem with "empty" permission, then Any domain user can get access to UserPortal and create new VMs
3. Admin (user with max permission) can't delete permission on the object

Expected results:

1. User in UserPortal should not see/manage VMs of other groups.
2. Users should get access to Portal based on group membership only
3. Admin should have SuperUser permission.
 

Additional info:
Screenshot of "empty" permission - screen1
Screenshot of error during trying to remove "empty" permission - screen2
Part of ui.log from the engine - ui.log

Comment 1 Anton 2016-09-30 14:25:08 UTC

Created attachment 1206299 [details]
screen2

Comment 2 Anton 2016-09-30 14:25:42 UTC

Created attachment 1206300 [details]
ui.log

Comment 3 Oved Ourfali 2016-10-01 12:22:33 UTC

Seems like a virt issue.

Comment 4 Anton 2016-10-06 09:18:50 UTC

Hello , 

I think that this issue looks like really serious problem related with security.
Can I expect that someone will take this task to working in nearest time.

Comment 5 Tomas Jelinek 2016-10-11 08:34:14 UTC

After an offline discussion with Martin we came to a conclusion that since the UserPortalListModel only calls the GetAllVms with filter: true, it seems as an infra issue. Moving to infa.

Comment 6 Oved Ourfali 2016-10-11 09:26:32 UTC

The permission views are under the verticals. Moving back to virt, unless there is another reason.

Comment 10 Anton 2016-10-12 10:47:22 UTC

Hello Oved , 

Is it mean that problem will be fixed in 4.0.5 version ?

Comment 11 Martin Perina 2016-10-12 10:50:47 UTC

(In reply to Anton from comment #10)
> Hello Oved , 
> 
> Is it mean that problem will be fixed in 4.0.5 version ?

We are still analyzing the issue, but currently the fix should be included in 4.0.5

Comment 12 Anton 2016-10-12 11:48:45 UTC

Great news  . We are looking forward 4.0.5 version.

Comment 13 Gonza 2016-11-07 15:17:22 UTC

Verified with:
rhevm-4.0.5.5-0.1.el7ev.noarch

Note You need to log in before you can comment on or make changes to this bug.