Actions
Bug #51206
closedCreating a role in another tenant seems to be possible
Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:
0%
Source:
Tags:
sts role
Backport:
pacific octopus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
This is a follow up for the thread on the mailing list
https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/5HWL3AV275Y5B4UMIEBMF34NDGDVABK4/
Using aws cli console (likely in other ways as well) it is possible to create a role in a tenant other than user's.
This can be done by prefixing role name with tenantName\$
The issue holds true both for the users authenticating with access keys and federated users who assume a role granting permissions to create roles.
This allows to obtain unauthorised cross-tenant access.
Reproduced on Ceph 16.2.1
Actions