OSSN/OSSN-0010

Summary
The policy.v3cloudsample.json sample Keystone policy file combined with the underlying mutability of the domain ID for user, group, and project entities exposed a privilege escalation vulnerability. When this sample policy is applied a domain administrator can elevate their privileges to become a cloud administrator.

Affected Services / Software
Keystone, Havana

Discussion
Changes to the Keystone v3 sample policy during the Havana release cycle set an excessively broad domain administrator scope that allowed creation of roles (create_grant) on other domains (among other actions). There was no check that the domain administrator had authority to the domain they were attempting to grant a role on.

Combining the mutable state of the domain ID for user, group, and project entities with the sample v3 policy resulted in a privilege escalation vulnerability. A domain administrator could execute a series of steps to escalate their access to that of a cloud administrator.

Recommended Actions
Review the following updated sample v3 policy file from the OpenStack Icehouse release:

https://git.openstack.org/cgit/openstack/keystone/commit/?id=0496466821c1ff6e7d4209233b6c671f88aadc50

You should ensure that your Keystone deployment appropriately reflects that update. Domain administrators should generally only be permitted to perform actions against the domain for which they are an administrator.

Optionally, review the recent addition of support for immutable domain IDs and consider it for applicability to your Keystone deployment:

https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2fa6a6f01a4884edf369cafa39946636af5cf1a

Contacts / References

 * Author: Jamie Finnigan, HP
 * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010
 * Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219
 * OpenStack Security ML : openstack-security@lists.openstack.org
 * OpenStack Security Group : https://launchpad.net/~openstack-ossg