[Bug 1823200] Re: Improper handling of ScaleIO backend credentials

Corey Bryant 1823200 at bugs.launchpad.net
Mon Jun 22 20:28:25 UTC 2020 

** Changed in: python-os-brick (Ubuntu Eoan)
   Importance: Undecided => High

** Changed in: python-os-brick (Ubuntu Eoan)
       Status: New => Triaged

** Changed in: python-os-brick (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: python-os-brick (Ubuntu Bionic)
       Status: New => Triaged

** Changed in: python-os-brick (Ubuntu Groovy)
       Status: Triaged => Fix Released

** Changed in: cinder (Ubuntu Groovy)
   Importance: Undecided => High

** Changed in: cinder (Ubuntu Groovy)
       Status: New => Triaged

** Changed in: cinder (Ubuntu Focal)
   Importance: Undecided => High

** Changed in: cinder (Ubuntu Focal)
       Status: New => Triaged

** Changed in: cinder (Ubuntu Eoan)
   Importance: Undecided => High

** Changed in: cinder (Ubuntu Eoan)
       Status: New => Triaged

** Changed in: cinder (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: cinder (Ubuntu Bionic)
       Status: New => Triaged

** Also affects: cloud-archive
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/stein
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/train
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/rocky
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/queens
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/victoria
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/ussuri
   Importance: Undecided
       Status: New

** Changed in: cloud-archive/victoria
   Importance: Undecided => High

** Changed in: cloud-archive/victoria
       Status: New => Triaged

** Changed in: cloud-archive/ussuri
   Importance: Undecided => High

** Changed in: cloud-archive/ussuri
       Status: New => Triaged

** Changed in: cloud-archive/train
   Importance: Undecided => High

** Changed in: cloud-archive/train
       Status: New => Triaged

** Changed in: cloud-archive/stein
   Importance: Undecided => High

** Changed in: cloud-archive/stein
       Status: New => Triaged

** Changed in: cloud-archive/rocky
   Importance: Undecided => High

** Changed in: cloud-archive/rocky
       Status: New => Triaged

** Changed in: cloud-archive/queens
   Importance: Undecided => High

** Changed in: cloud-archive/queens
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Ubuntu.
https://bugs.launchpad.net/bugs/1823200

Title:
  Improper handling of ScaleIO backend credentials

Status in Cinder:
  Fix Released
Status in Cinder queens series:
  Fix Committed
Status in Cinder rocky series:
  Fix Committed
Status in Cinder stein series:
  Fix Committed
Status in Cinder train series:
  Fix Committed
Status in Cinder ussuri series:
  Fix Committed
Status in Cinder victoria series:
  Fix Released
Status in Ubuntu Cloud Archive:
  Triaged
Status in Ubuntu Cloud Archive queens series:
  Triaged
Status in Ubuntu Cloud Archive rocky series:
  Triaged
Status in Ubuntu Cloud Archive stein series:
  Triaged
Status in Ubuntu Cloud Archive train series:
  Triaged
Status in Ubuntu Cloud Archive ussuri series:
  Triaged
Status in Ubuntu Cloud Archive victoria series:
  Triaged
Status in os-brick:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  In Progress
Status in OpenStack Security Guide Documentation:
  Fix Released
Status in cinder package in Ubuntu:
  Triaged
Status in python-os-brick package in Ubuntu:
  Fix Released
Status in cinder source package in Bionic:
  Triaged
Status in python-os-brick source package in Bionic:
  Triaged
Status in cinder source package in Eoan:
  Triaged
Status in python-os-brick source package in Eoan:
  Triaged
Status in cinder source package in Focal:
  Triaged
Status in python-os-brick source package in Focal:
  Triaged
Status in cinder source package in Groovy:
  Triaged
Status in python-os-brick source package in Groovy:
  Fix Released

Bug description:
  The ScaleIO driver uses the backend storage login and password for
  authentication for connections to the volume as well as the management
  API.

  https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176

  https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229

  This has a few serious implications:
  a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume.  Most drivers create per-volume credentials.

  b) A user can create a volume, retrieve the username/password from
  that volume, and use it to connect to the ScaleIO management API and
  presumably do lots of things they shouldn't be allowed to.  Most
  drivers create credentials for volumes that are independent of the
  management credentials.

  c) If the password is changed on the backend ScaleIO volumes that are
  currently being used stop working, because Nova stores the old
  password in its block_device_mapping table.  (Not a security problem
  other than the fact that it prevents rotation of passwords, but
  definitely a bug.)

  Parts of these issues are separately being looked at in bug 1736773,
  (which generally advises that in some clouds, only Nova should be able
  to see connection info, not end users) but the situation there is
  worse for the ScaleIO driver because most drivers only put
  usernames/passwords in connection_info that are usable for a single
  volume, not for the storage backend itself.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1823200/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list