Project

General

Profile

Bug #51219

Federated user can modify policies in other tenants

Added by Daniel Iwan over 1 year ago. Updated 6 months ago.

Status:
Pending Backport
Priority:
High
Target version:
-
% Done:

0%

Source:
Tags:
security? backport_processed
Backport:
pacific, octopus
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

With a role from tenant mytenant which has a policy as below (note wrong/arbitrary tenant name abc in the Resource)

@ {
"Permission policy": "{\n\"Statement\":[\n{\"Effect\":\"Allow\",\"Action\":[\"iam:ListRoles\"]},\n{\"Effect\":\"Allow\",\"Action\":[\"iam:GetRole\",\"iam:ListRolePolicies\", \"iam:GetRolePolicy\", \"iam:PutRolePolicy\"], \"Resource\":\"arn:aws:iam::abc:role/base/default\"}\n]\n}"
}
@

when a user assumes the role he/she will be able to modify any policy on any role (not limited by the path /base/default) across all tenants.
This is for a federated user with no roles:* capability.


Related issues

Copied to rgw - Backport #52728: pacific: Federated user can modify policies in other tenants In Progress
Copied to rgw - Backport #52729: octopus: Federated user can modify policies in other tenants Rejected

History

#1 Updated by Daniel Iwan over 1 year ago

This is possibly related to https://tracker.ceph.com/issues/51206

#2 Updated by Casey Bodley over 1 year ago

  • Assignee set to Pritha Srivastava

#3 Updated by Pritha Srivastava over 1 year ago

  • Status changed from New to In Progress

Initial investigation shows that while parsing an IAM policy, if the tenant of the resource doesn't match up with the tenant of the user, then the resource element is discarded. This error message appears in RGW log: Supplied resource is discarded:. Checking what it means when the resource is discarded.

#4 Updated by Pritha Srivastava over 1 year ago

  • Pull request ID set to 41931

#5 Updated by Casey Bodley over 1 year ago

  • Status changed from In Progress to Fix Under Review

#6 Updated by Matt Benjamin over 1 year ago

  • Tags set to security?

#7 Updated by Matt Benjamin over 1 year ago

  • Backport set to pacific, octopus, nautilus

#8 Updated by Casey Bodley over 1 year ago

  • Priority changed from Normal to High

#9 Updated by Casey Bodley over 1 year ago

  • Status changed from Fix Under Review to Pending Backport
  • Backport changed from pacific, octopus, nautilus to pacific, octopus

#10 Updated by Backport Bot over 1 year ago

  • Copied to Backport #52728: pacific: Federated user can modify policies in other tenants added

#11 Updated by Backport Bot over 1 year ago

  • Copied to Backport #52729: octopus: Federated user can modify policies in other tenants added

#12 Updated by Backport Bot 6 months ago

  • Tags changed from security? to security? backport_processed

Also available in: Atom PDF