fix: RBAC bypass vulnerabilities in model access #4270
Conversation
derekhiggins
requested review from
ashwinb,
bbrowning,
cdoern,
ehhuang,
franciscojavierarceo,
leseb,
mattf and
raghotham
as code owners
meta-cla
bot
added
the
CLA Signed
derekhiggins
force-pushed
the
GHSA-vcwv-qqgp-rmg4
branch
from
fad5849 to
61f6bd7
Compare
derekhiggins
changed the title
| temp_model = ModelWithOwner( | ||
| identifier=model_id, | ||
| provider_id=provider_id, | ||
| provider_resource_id=provider_resource_id, | ||
| model_type=expected_model_type, | ||
| type="model", | ||
| metadata={}, # Empty metadata for temporary object | ||
| ) |
There was a problem hiding this comment.
With no owner and empty metadata, does that have an impact on our RBAC policies? Will this cause checks to pass that should otherwise fail? Or checks to fail that should otherwise pass?
There was a problem hiding this comment.
I think this is the temporary ModelWithOwner objects for RBAC validation, meaning is_action_allowed(self.routing_table.policy, "read", temp_model, user): below fails if the user does not have access to the model? so for temp_model the owner doesn't matter, its just for comparison, I think?
There was a problem hiding this comment.
yes, its a tmp model for policy check, with no owner (by design)
if auth hasn't been enabled then user==None and is_action_allowed will pass, the default doesn't change all models are still available
if auth is enabled then the default policy allows access
if auth is enabled and using a custom policy its upto the user to make sure they allow access to the model with their policy either by name/resource_id or by using other claims in the token (this is the only behaviour that should be changing in this PR, previously a custom policy wasn't restricting anything.
|
Does this change the default visibility of models in our starter distro and similar setups that don't use a customized RBAC policy? Are all models visible to every user when authentication is disabled? The changes look reasonable as far as enforcement, but it wasn't immediately obvious whether this is also adding additional restrictions in our default case. |
Yup, if not using Authentication nothing should change, the first check in is_action_allowed returns True if auth isn't enabled (user == None) |
Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: llamastack#4269 Signed-off-by: Derek Higgins <derekh@redhat.com>
derekhiggins
force-pushed
the
GHSA-vcwv-qqgp-rmg4
branch
from
61f6bd7 to
6b11191
Compare
bbrowning
left a comment
bbrowning
left a comment
There was a problem hiding this comment.
This looks reasonable and my questions have been addressed. Thanks!
|
@Mergifyio backport release-0.3.x |
✅ Backports have been created
|
Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: #4269 Signed-off-by: Derek Higgins <derekh@redhat.com> (cherry picked from commit 8940be2) # Conflicts: # llama_stack/core/routers/inference.py # llama_stack/core/routing_tables/models.py # tests/unit/server/test_access_control.py
Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: #4269 Signed-off-by: Derek Higgins <derekh@redhat.com> (cherry picked from commit 8940be2) Signed-off-by: Charlie Doern <cdoern@redhat.com>
Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: #4269 Signed-off-by: Derek Higgins <derekh@redhat.com> (cherry picked from commit 8940be2) Signed-off-by: Charlie Doern <cdoern@redhat.com>
Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: #4269 Signed-off-by: Derek Higgins <derekh@redhat.com> (cherry picked from commit 8940be2) Signed-off-by: Charlie Doern <cdoern@redhat.com>
| raise ModelNotFoundError(model_id) | ||
|
|
||
| # Create a temporary model object for RBAC check | ||
| temp_model = ModelWithOwner( |
There was a problem hiding this comment.
this reads awkward, maybe we need to think about the RBAC API a bit so this "temp model" creation is not necessary
There was a problem hiding this comment.
Yup, creating that seemed a little excessive but I couldn't see any way around it
Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: #4269 Signed-off-by: Derek Higgins <derekh@redhat.com> (cherry picked from commit 8940be2) Signed-off-by: Charlie Doern <cdoern@redhat.com>
) Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: #4269 <hr>This is an automatic backport of pull request #4270 done by [Mergify](https://mergify.com). Signed-off-by: Derek Higgins <derekh@redhat.com> Signed-off-by: Charlie Doern <cdoern@redhat.com> Co-authored-by: Derek Higgins <derekh@redhat.com>
Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: llamastack#4269 Signed-off-by: Derek Higgins <derekh@redhat.com>
Closes security gaps where RBAC checks could be bypassed: o Inference router: Added RBAC enforcement in the fallback path to ensure access control is applied consistently. o Model listing: Dynamic models fetched via provider_data were returned without RBAC checks. Added filtering to ensure users only see models they have permission to access. Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement. Closes: llamastack#4269 Signed-off-by: Derek Higgins <derekh@redhat.com>
|
|
||
| logger.debug(f"Fetched {len(models)} models from provider {provider_id} using provider_data") | ||
| # Convert to ModelWithOwner for RBAC check | ||
| temp_model = ModelWithOwner( |
There was a problem hiding this comment.
@derekhiggins we ask providers to return Model, but we always need ModelWithOwner. can we move the ResourceWithOwner up a level in the class hierarcy?
There was a problem hiding this comment.
We'd have to look into how difficult it would be but wouldn't be a bad idea, I'd like to add a few simple RBAC policies into the integration auth tests next. Then would be more comfortable with refactors like this.
5 participants
Closes security gaps where RBAC checks could be bypassed:
o Inference router: Added RBAC enforcement in the fallback
path to ensure access control is applied consistently.
o Model listing: Dynamic models fetched via provider_data were returned
without RBAC checks. Added filtering to ensure users only see models
they have permission to access.
Both fixes create temporary ModelWithOwner objects for RBAC validation, maintaining security through consistent access control enforcement.
Closes: #4269