[Bug 1823200] Related fix proposed to os-brick (master)
OpenStack Infra
1823200 at bugs.launchpad.net
Thu Aug 13 11:18:51 UTC 2020
Related fix proposed to branch: master
Review: https://review.opendev.org/746109
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Ubuntu.
https://bugs.launchpad.net/bugs/1823200
Title:
Improper handling of ScaleIO backend credentials
Status in Cinder:
Fix Released
Status in Cinder queens series:
Fix Committed
Status in Cinder rocky series:
Fix Committed
Status in Cinder stein series:
Fix Committed
Status in Cinder train series:
Fix Committed
Status in Cinder ussuri series:
Fix Committed
Status in Cinder victoria series:
Fix Released
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive queens series:
Fix Released
Status in Ubuntu Cloud Archive rocky series:
Fix Released
Status in Ubuntu Cloud Archive stein series:
Fix Released
Status in Ubuntu Cloud Archive train series:
Fix Released
Status in Ubuntu Cloud Archive ussuri series:
Fix Released
Status in Ubuntu Cloud Archive victoria series:
Fix Released
Status in os-brick:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
In Progress
Status in OpenStack Security Guide Documentation:
Fix Released
Status in cinder package in Ubuntu:
Fix Released
Status in python-os-brick package in Ubuntu:
Fix Released
Status in cinder source package in Bionic:
Fix Released
Status in python-os-brick source package in Bionic:
Fix Released
Status in cinder source package in Eoan:
Won't Fix
Status in python-os-brick source package in Eoan:
Won't Fix
Status in cinder source package in Focal:
Fix Released
Status in python-os-brick source package in Focal:
Fix Released
Status in cinder source package in Groovy:
Fix Released
Status in python-os-brick source package in Groovy:
Fix Released
Bug description:
The ScaleIO driver uses the backend storage login and password for
authentication for connections to the volume as well as the management
API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from
that volume, and use it to connect to the ScaleIO management API and
presumably do lots of things they shouldn't be allowed to. Most
drivers create credentials for volumes that are independent of the
management credentials.
c) If the password is changed on the backend ScaleIO volumes that are
currently being used stop working, because Nova stores the old
password in its block_device_mapping table. (Not a security problem
other than the fact that it prevents rotation of passwords, but
definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773,
(which generally advises that in some clouds, only Nova should be able
to see connection info, not end users) but the situation there is
worse for the ScaleIO driver because most drivers only put
usernames/passwords in connection_info that are usable for a single
volume, not for the storage backend itself.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1823200/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list