Bug #51219
Federated user can modify policies in other tenants
100%
Description
With a role from tenant mytenant which has a policy as below (note wrong/arbitrary tenant name abc in the Resource)
@
{
"Permission policy": "{\n\"Statement\":[\n{\"Effect\":\"Allow\",\"Action\":[\"iam:ListRoles\"]},\n{\"Effect\":\"Allow\",\"Action\":[\"iam:GetRole\",\"iam:ListRolePolicies\", \"iam:GetRolePolicy\", \"iam:PutRolePolicy\"], \"Resource\":\"arn:aws:iam::abc:role/base/default\"}\n]\n}"
}
@
when a user assumes the role he/she will be able to modify any policy on any role (not limited by the path /base/default) across all tenants.
This is for a federated user with no roles:* capability.
Related issues
History
#1 Updated by Daniel Iwan almost 3 years ago
This is possibly related to https://tracker.ceph.com/issues/51206
#2 Updated by Casey Bodley almost 3 years ago
- Assignee set to Pritha Srivastava
#3 Updated by Pritha Srivastava almost 3 years ago
- Status changed from New to In Progress
Initial investigation shows that while parsing an IAM policy, if the tenant of the resource doesn't match up with the tenant of the user, then the resource element is discarded. This error message appears in RGW log: Supplied resource is discarded:. Checking what it means when the resource is discarded.
#4 Updated by Pritha Srivastava almost 3 years ago
- Pull request ID set to 41931
#5 Updated by Casey Bodley almost 3 years ago
- Status changed from In Progress to Fix Under Review
#6 Updated by Matt Benjamin over 2 years ago
- Tags set to security?
#7 Updated by Matt Benjamin over 2 years ago
- Backport set to pacific, octopus, nautilus
#8 Updated by Casey Bodley over 2 years ago
- Priority changed from Normal to High
#9 Updated by Casey Bodley over 2 years ago
- Status changed from Fix Under Review to Pending Backport
- Backport changed from pacific, octopus, nautilus to pacific, octopus
#10 Updated by Backport Bot over 2 years ago
- Copied to Backport #52728: pacific: Federated user can modify policies in other tenants added
#11 Updated by Backport Bot over 2 years ago
- Copied to Backport #52729: octopus: Federated user can modify policies in other tenants added
#12 Updated by Backport Bot over 1 year ago
- Tags changed from security? to security? backport_processed
#13 Updated by Konstantin Shalygin 2 months ago
- Status changed from Pending Backport to Resolved
- % Done changed from 0 to 100