Project

General

Profile

Bug #51219

Federated user can modify policies in other tenants

Added by Daniel Iwan almost 3 years ago. Updated 2 months ago.

Status:
Resolved
Priority:
High
Target version:
-
% Done:

100%

Source:
Tags:
security? backport_processed
Backport:
pacific, octopus
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

With a role from tenant mytenant which has a policy as below (note wrong/arbitrary tenant name abc in the Resource)

@ {
"Permission policy": "{\n\"Statement\":[\n{\"Effect\":\"Allow\",\"Action\":[\"iam:ListRoles\"]},\n{\"Effect\":\"Allow\",\"Action\":[\"iam:GetRole\",\"iam:ListRolePolicies\", \"iam:GetRolePolicy\", \"iam:PutRolePolicy\"], \"Resource\":\"arn:aws:iam::abc:role/base/default\"}\n]\n}"
}
@

when a user assumes the role he/she will be able to modify any policy on any role (not limited by the path /base/default) across all tenants.
This is for a federated user with no roles:* capability.


Related issues

Copied to rgw - Backport #52728: pacific: Federated user can modify policies in other tenants Resolved
Copied to rgw - Backport #52729: octopus: Federated user can modify policies in other tenants Rejected

History

#1 Updated by Daniel Iwan almost 3 years ago

This is possibly related to https://tracker.ceph.com/issues/51206

#2 Updated by Casey Bodley almost 3 years ago

  • Assignee set to Pritha Srivastava

#3 Updated by Pritha Srivastava almost 3 years ago

  • Status changed from New to In Progress

Initial investigation shows that while parsing an IAM policy, if the tenant of the resource doesn't match up with the tenant of the user, then the resource element is discarded. This error message appears in RGW log: Supplied resource is discarded:. Checking what it means when the resource is discarded.

#4 Updated by Pritha Srivastava almost 3 years ago

  • Pull request ID set to 41931

#5 Updated by Casey Bodley almost 3 years ago

  • Status changed from In Progress to Fix Under Review

#6 Updated by Matt Benjamin over 2 years ago

  • Tags set to security?

#7 Updated by Matt Benjamin over 2 years ago

  • Backport set to pacific, octopus, nautilus

#8 Updated by Casey Bodley over 2 years ago

  • Priority changed from Normal to High

#9 Updated by Casey Bodley over 2 years ago

  • Status changed from Fix Under Review to Pending Backport
  • Backport changed from pacific, octopus, nautilus to pacific, octopus

#10 Updated by Backport Bot over 2 years ago

  • Copied to Backport #52728: pacific: Federated user can modify policies in other tenants added

#11 Updated by Backport Bot over 2 years ago

  • Copied to Backport #52729: octopus: Federated user can modify policies in other tenants added

#12 Updated by Backport Bot over 1 year ago

  • Tags changed from security? to security? backport_processed

#13 Updated by Konstantin Shalygin 2 months ago

  • Status changed from Pending Backport to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF