Bug #51206
closedCreating a role in another tenant seems to be possible
0%
Description
This is a follow up for the thread on the mailing list
https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/5HWL3AV275Y5B4UMIEBMF34NDGDVABK4/
Using aws cli console (likely in other ways as well) it is possible to create a role in a tenant other than user's.
This can be done by prefixing role name with tenantName\$
The issue holds true both for the users authenticating with access keys and federated users who assume a role granting permissions to create roles.
This allows to obtain unauthorised cross-tenant access.
Reproduced on Ceph 16.2.1
Updated by lei cao almost 3 years ago
I try a PR https://github.com/ceph/ceph/pull/41858
Updated by Pritha Srivastava almost 3 years ago
- Status changed from New to Fix Under Review
- Pull request ID set to 41858
Updated by Casey Bodley almost 3 years ago
- Status changed from Fix Under Review to Pending Backport
- Tags set to sts role
- Backport set to pacific octopus
Updated by Backport Bot almost 3 years ago
- Copied to Backport #51778: octopus: Creating a role in another tenant seems to be possible added
Updated by Backport Bot almost 3 years ago
- Copied to Backport #51779: pacific: Creating a role in another tenant seems to be possible added
Updated by Loïc Dachary over 2 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".