Difference between revisions of "OSSN/OSSN-0055"
(Created page with "Work in Progress") |
(→Service accounts may have cloud admin privileges) |
||
| Line 1: | Line 1: | ||
| − | + | == Service accounts may have cloud admin privileges == | |
| + | === Summary === | ||
| + | OpenStack services (for example Nova and Glance) typically use a | ||
| + | service account in Keystone to perform actions. In some cases this | ||
| + | service account has full admin privileges, may therefore perform any | ||
| + | action on your cloud, and should be protected appropriately. | ||
| + | |||
| + | === Affected Services / Software === | ||
| + | Most OpenStack services / all versions | ||
| + | |||
| + | === Discussion === | ||
| + | In many cases, OpenStack services require an OpenStack account to | ||
| + | perform API actions such as validating Keystone tokens. Some | ||
| + | deployment tools grant administrative level access to these service | ||
| + | accounts, making these accounts very powerful. | ||
| + | |||
| + | A service account with administrator access could be used to: | ||
| + | |||
| + | * destroy/modify/access data | ||
| + | * create or destroy admin accounts | ||
| + | * potentially escalate to undercloud access | ||
| + | * log in to Horizon | ||
| + | |||
| + | === Recommended Actions === | ||
| + | Service accounts can use the "service" role rather than admin. You | ||
| + | can check what role the service account has by performing the following | ||
| + | steps: | ||
| + | |||
| + | 1. List roles: | ||
| + | |||
| + | openstack role list | ||
| + | |||
| + | 2. Check the role assignment for the service user in question: | ||
| + | |||
| + | openstack role assignment list --user <service_user> | ||
| + | |||
| + | 3. Compare the ID listed in the "role" column from step 2 with the role | ||
| + | IDs listed in step 1. If the role is listed as "admin", the service | ||
| + | account has full admin privileges on the cloud. | ||
| + | |||
| + | It is possible to change the role to "service" for some accounts but | ||
| + | this may have unexpected consequences for services such as Nova and | ||
| + | Neutron, and is therefore not recommended for inexperienced admins. | ||
| + | |||
| + | If a service account does have admin, it's advisable to closely | ||
| + | monitor login events for that user to ensure that it is not used | ||
| + | unexpectedly. In particular, pay attention to unusual IPs using the | ||
| + | service account. | ||
| + | |||
| + | === Contacts / References === | ||
| + | * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0054 | ||
| + | * Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1464750 | ||
| + | * OpenStack Security ML : openstack-security@lists.openstack.org | ||
| + | * OpenStack Security Group : https://launchpad.net/~openstack-ossg | ||
Revision as of 23:52, 2 September 2015
Contents
Service accounts may have cloud admin privileges
Summary
OpenStack services (for example Nova and Glance) typically use a service account in Keystone to perform actions. In some cases this service account has full admin privileges, may therefore perform any action on your cloud, and should be protected appropriately.
Affected Services / Software
Most OpenStack services / all versions
Discussion
In many cases, OpenStack services require an OpenStack account to perform API actions such as validating Keystone tokens. Some deployment tools grant administrative level access to these service accounts, making these accounts very powerful.
A service account with administrator access could be used to:
- destroy/modify/access data
- create or destroy admin accounts
- potentially escalate to undercloud access
- log in to Horizon
Recommended Actions
Service accounts can use the "service" role rather than admin. You can check what role the service account has by performing the following steps:
1. List roles:
openstack role list
2. Check the role assignment for the service user in question:
openstack role assignment list --user <service_user>
3. Compare the ID listed in the "role" column from step 2 with the role IDs listed in step 1. If the role is listed as "admin", the service account has full admin privileges on the cloud.
It is possible to change the role to "service" for some accounts but this may have unexpected consequences for services such as Nova and Neutron, and is therefore not recommended for inexperienced admins.
If a service account does have admin, it's advisable to closely monitor login events for that user to ensure that it is not used unexpectedly. In particular, pay attention to unusual IPs using the service account.
Contacts / References
- This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0054
- Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1464750
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg
