Fix CVE-2016-7404

This commit addresses multiple potential vulnerabilities in Magnum. It makes the following changes: * Permissions for /etc/sysconfig/heat-params inside Magnum created instances are tightened to 0600 (used to be 0755). * Certificate retrieval is modified to work without the need for a Keystone trust. * The cluster's Keystone trust id is only passed into instances for clusters where that is actually needed. This prevents the trustee user from consuming the trust in cases where it is not needed. * The configuration setting trust/cluster_user_trust (False by default) is introduced. It needs to be explicitely enabled by the cloud operator to allow clusters that need the trust_id to be passed into instances to work. Without this setting, attempts to create such clusters will fail. Please note, that none of these changes apply to existing clusters. They will have to be deleted and rebuilt to benefit from these changes. Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
openstack · Feb 9, 2017 · e93d82e · e93d82e
1 parent ae41b45
commit e93d82e
Show file tree

Hide file tree

Showing 27 changed files with 171 additions and 75 deletions.
diff --git a/devstack/lib/magnum b/devstack/lib/magnum
@@ -204,6 +204,7 @@ function create_magnum_conf {
               --os-identity-api-version 3 role add \
               --user $trustee_domain_admin_id --domain $trustee_domain_id \
               admin
+    iniset $MAGNUM_CONF trust cluster_user_trust True
     iniset $MAGNUM_CONF trust trustee_domain_name magnum
     iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
     iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD

diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json
@@ -4,35 +4,37 @@
     "default": "rule:admin_or_owner",
     "admin_api": "rule:context_is_admin",
     "admin_or_user": "is_admin:True or user_id:%(user_id)s",
+    "cluster_user": "user_id:%(trustee_user_id)s",
+    "deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
 
-    "bay:create": "rule:default",
-    "bay:delete": "rule:default",
-    "bay:detail": "rule:default",
-    "bay:get": "rule:default",
-    "bay:get_all": "rule:default",
-    "bay:update": "rule:default",
+    "bay:create": "rule:deny_cluster_user",
+    "bay:delete": "rule:deny_cluster_user",
+    "bay:detail": "rule:deny_cluster_user",
+    "bay:get": "rule:deny_cluster_user",
+    "bay:get_all": "rule:deny_cluster_user",
+    "bay:update": "rule:deny_cluster_user",
 
-    "baymodel:create": "rule:default",
-    "baymodel:delete": "rule:default",
-    "baymodel:detail": "rule:default",
-    "baymodel:get": "rule:default",
-    "baymodel:get_all": "rule:default",
-    "baymodel:update": "rule:default",
+    "baymodel:create": "rule:deny_cluster_user",
+    "baymodel:delete": "rule:deny_cluster_user",
+    "baymodel:detail": "rule:deny_cluster_user",
+    "baymodel:get": "rule:deny_cluster_user",
+    "baymodel:get_all": "rule:deny_cluster_user",
+    "baymodel:update": "rule:deny_cluster_user",
     "baymodel:publish": "rule:admin_or_owner",
 
-    "cluster:create": "rule:default",
-    "cluster:delete": "rule:default",
-    "cluster:detail": "rule:default",
-    "cluster:get": "rule:default",
-    "cluster:get_all": "rule:default",
-    "cluster:update": "rule:default",
+    "cluster:create": "rule:deny_cluster_user",
+    "cluster:delete": "rule:deny_cluster_user",
+    "cluster:detail": "rule:deny_cluster_user",
+    "cluster:get": "rule:deny_cluster_user",
+    "cluster:get_all": "rule:deny_cluster_user",
+    "cluster:update": "rule:deny_cluster_user",
 
-    "clustertemplate:create": "rule:default",
-    "clustertemplate:delete": "rule:default",
-    "clustertemplate:detail": "rule:default",
-    "clustertemplate:get": "rule:default",
-    "clustertemplate:get_all": "rule:default",
-    "clustertemplate:update": "rule:default",
+    "clustertemplate:create": "rule:deny_cluster_user",
+    "clustertemplate:delete": "rule:deny_cluster_user",
+    "clustertemplate:detail": "rule:deny_cluster_user",
+    "clustertemplate:get": "rule:deny_cluster_user",
+    "clustertemplate:get_all": "rule:deny_cluster_user",
+    "clustertemplate:update": "rule:deny_cluster_user",
     "clustertemplate:publish": "rule:admin_or_owner",
 
     "quotas:get": "rule:default",
@@ -41,9 +43,9 @@
     "quotas:update": "rule:admin_api",
     "quotas:delete": "rule:admin_api",
 
-    "certificate:create": "rule:admin_or_user",
-    "certificate:get": "rule:admin_or_user",
     "certificate:rotate_ca": "rule:admin_or_owner",
+    "certificate:create": "rule:admin_or_user or rule:cluster_user",
+    "certificate:get": "rule:admin_or_user or rule:cluster_user",
 
     "magnum-service:get_all": "rule:admin_api",
     "stats:get_all": "rule:admin_or_owner"

diff --git a/magnum/common/keystone.py b/magnum/common/keystone.py
@@ -204,6 +204,7 @@ def create_trust(self, trustee_user):
                 project=trustor_project_id,
                 trustee_user=trustee_user,
                 impersonation=True,
+                delegation_depth=0,
                 role_names=roles)
         except Exception:
             LOG.exception(_LE('Failed to create trust'))

diff --git a/magnum/common/policy.py b/magnum/common/policy.py
@@ -20,6 +20,8 @@
 from oslo_policy import policy
 import pecan
 
+from magnum.common import clients
+from magnum.common import context
 from magnum.common import exception
 
 
@@ -92,10 +94,20 @@ def enforce(context, rule=None, target=None,
     if target is None:
         target = {'project_id': context.project_id,
                   'user_id': context.user_id}
+    add_policy_attributes(target)
     return enforcer.enforce(rule, target, credentials,
                             do_raise=do_raise, exc=exc, *args, **kwargs)
 
 
+def add_policy_attributes(target):
+    """Adds extra information for policy enforcement to raw target object"""
+    admin_context = context.make_admin_context()
+    admin_osc = clients.OpenStackClients(admin_context)
+    trustee_domain_id = admin_osc.keystone().trustee_domain_id
+    target['trustee_domain_id'] = trustee_domain_id
+    return target
+
+
 def enforce_wsgi(api_name, act=None):
     """This is a decorator to simplify wsgi action policy rule check.
 

diff --git a/magnum/conductor/handlers/common/trust_manager.py b/magnum/conductor/handlers/common/trust_manager.py
@@ -22,15 +22,20 @@
 def create_trustee_and_trust(osc, cluster):
     try:
         password = utils.generate_password(length=18)
+
         trustee = osc.keystone().create_trustee(
-            cluster.uuid,
+            "%s_%s" % (cluster.uuid, cluster.project_id),
             password,
         )
+
         cluster.trustee_username = trustee.name
         cluster.trustee_user_id = trustee.id
         cluster.trustee_password = password
-        trust = osc.keystone().create_trust(trustee.id)
+
+        trust = osc.keystone().create_trust(
+            cluster.trustee_user_id)
         cluster.trust_id = trust.id
+
     except Exception:
         LOG.exception(
             _LE('Failed to create trustee and trust for Cluster: %s'),
@@ -41,9 +46,11 @@ def create_trustee_and_trust(osc, cluster):
 
 def delete_trustee_and_trust(osc, context, cluster):
     try:
+        kst = osc.keystone()
+
         # The cluster which is upgraded from Liberty doesn't have trust_id
         if cluster.trust_id:
-            osc.keystone().delete_trust(context, cluster)
+            kst.delete_trust(context, cluster)
     except Exception:
         # Exceptions are already logged by keystone().delete_trust
         pass

diff --git a/magnum/conf/trust.py b/magnum/conf/trust.py
@@ -18,6 +18,17 @@
                            title='Trustee options for the magnum services')
 
 trust_opts = [
+    cfg.BoolOpt('cluster_user_trust',
+                default=False,
+                help=_('This setting controls whether to assign a trust to'
+                       ' the cluster user or not. You will need to set it to'
+                       ' True for clusters with volume_driver=cinder or'
+                       ' registry_enabled=true in the underlying cluster'
+                       ' template to work. This is a potential security risk'
+                       ' since the trust gives instances OpenStack API access'
+                       " to the cluster's project. Note that this setting"
+                       ' does not affect per-cluster trusts assigned to the'
+                       'Magnum service user.')),
     cfg.StrOpt('trustee_domain_id',
                help=_('Id of the domain to create trustee for clusters')),
     cfg.StrOpt('trustee_domain_name',

diff --git a/magnum/db/sqlalchemy/api.py b/magnum/db/sqlalchemy/api.py
@@ -26,6 +26,8 @@
 from sqlalchemy.orm.exc import NoResultFound
 from sqlalchemy.sql import func
 
+from magnum.common import clients
+from magnum.common import context as request_context
 from magnum.common import exception
 import magnum.conf
 from magnum.db import api
@@ -122,8 +124,21 @@ def _add_tenant_filters(self, context, query):
         if context.is_admin and context.all_tenants:
             return query
 
-        if context.project_id:
+        admin_context = request_context.make_admin_context(all_tenants=True)
+        osc = clients.OpenStackClients(admin_context)
+        kst = osc.keystone()
+
+        # User in a regular project (not in the trustee domain)
+        if context.project_id and context.domain_id != kst.trustee_domain_id:
             query = query.filter_by(project_id=context.project_id)
+        # Match project ID component in trustee user's user name against
+        # cluster's project_id to associate per-cluster trustee users who have
+        # no project information with the project their clusters/cluster models
+        # reside in. This is equivalent to the project filtering above.
+        elif context.domain_id == kst.trustee_domain_id:
+            user_name = kst.client.users.get(context.user_id).name
+            user_project = user_name.split('_', 2)[1]
+            query = query.filter_by(project_id=user_project)
         else:
             query = query.filter_by(user_id=context.user_id)
 

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
@@ -49,11 +49,6 @@ auth_json=$(cat << EOF
                     "password": "$TRUSTEE_PASSWORD"
                 }
             }
-        },
-        "scope": {
-            "OS-TRUST:trust": {
-                "id": "$TRUST_ID"
-            }
         }
     }
 }

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@@ -71,11 +71,6 @@ auth_json=$(cat << EOF
                     "password": "$TRUSTEE_PASSWORD"
                 }
             }
-        },
-        "scope": {
-            "OS-TRUST:trust": {
-                "id": "$TRUST_ID"
-            }
         }
     }
 }

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
       KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
       KUBE_MASTER_IP="$KUBE_MASTER_IP"

diff --git a/magnum/drivers/common/templates/swarm/fragments/make-cert.py b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
@@ -150,19 +150,13 @@ def get_user_token(config):
                     "password": "%(trustee_password)s"
                 }
             }
-        },
-        "scope": {
-            "OS-TRUST:trust": {
-                "id": "%(trust_id)s"
-            }
         }
     }
 }
 '''
     params = {
         'trustee_user_id': config['TRUSTEE_USER_ID'],
         'trustee_password': config['TRUSTEE_PASSWORD'],
-        'trust_id': config['TRUST_ID']
     }
     creds = creds_str % params
     headers = {'Content-Type': 'application/json'}

diff --git a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
       WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"

diff --git a/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml b/magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT"
       WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"

diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py
@@ -21,6 +21,7 @@
 from magnum.common import clients
 from magnum.common import exception
 import magnum.conf
+from magnum.i18n import _LE
 from magnum.i18n import _LW
 
 from requests import exceptions as req_exceptions
@@ -245,7 +246,20 @@ def get_params(self, context, cluster_template, cluster, **kwargs):
         extra_params['trustee_user_id'] = cluster.trustee_user_id
         extra_params['trustee_username'] = cluster.trustee_username
         extra_params['trustee_password'] = cluster.trustee_password
-        extra_params['trust_id'] = cluster.trust_id
+
+        # Only pass trust ID into the template when it is needed.
+        if (cluster_template.volume_driver == 'rexray' or
+                cluster_template.registry_enabled):
+            if CONF.trust.cluster_user_trust:
+                extra_params['trust_id'] = cluster.trust_id
+            else:
+                missing_setting = ('trust/cluster_user_trust = True')
+                msg = _LE('This cluster can only be created with %s in '
+                          'magnum.conf')
+                raise exception.ConfigInvalid(msg % missing_setting)
+        else:
+            extra_params['trust_id'] = ""
+
         extra_params['auth_url'] = context.auth_url
 
         return super(BaseTemplateDefinition,

diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
@@ -66,11 +66,6 @@ write_files:
                           "password": "$TRUSTEE_PASSWORD"
                       }
                   }
-              },
-              "scope": {
-                  "OS-TRUST:trust": {
-                      "id": "$TRUST_ID"
-                  }
               }
           }
       }

diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
@@ -89,11 +89,6 @@ write_files:
                           "password": "$TRUSTEE_PASSWORD"
                       }
                   }
-              },
-              "scope": {
-                  "OS-TRUST:trust": {
-                      "id": "$TRUST_ID"
-                  }
               }
           }
       }

diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
       KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"

diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
       KUBE_MASTER_IP="$KUBE_MASTER_IP"

diff --git a/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml
@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS"
       EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT"