59 lines
2.1 KiB
Plaintext
59 lines
2.1 KiB
Plaintext
Service accounts may have cloud admin privileges
|
|
---
|
|
|
|
### Summary ###
|
|
OpenStack services (for example Nova and Glance) typically use a
|
|
service account in Keystone to perform actions. In some cases this
|
|
service account has full admin privileges, may therefore perform any
|
|
action on your cloud, and should be protected appropriately.
|
|
|
|
### Affected Services / Software ###
|
|
Most OpenStack services / all versions
|
|
|
|
### Discussion ###
|
|
In many cases, OpenStack services require an OpenStack account to
|
|
perform API actions such as validating Keystone tokens. Some
|
|
deployment tools grant administrative level access to these service
|
|
accounts, making these accounts very powerful.
|
|
|
|
A service account with administrator access could be used to:
|
|
|
|
- destroy/modify/access data
|
|
- create or destroy admin accounts
|
|
- potentially escalate to undercloud access
|
|
- log in to Horizon
|
|
|
|
### Recommended Actions ###
|
|
Service accounts can use the "service" role rather than admin. You
|
|
can check what role the service account has by performing the following
|
|
steps:
|
|
|
|
1. List roles:
|
|
|
|
openstack role list
|
|
|
|
2. Check the role assignment for the service user in question:
|
|
|
|
openstack role assignment list --user <service_user>
|
|
|
|
3. Compare the ID listed in the "role" column from step 2 with the role
|
|
IDs listed in step 1. If the role is listed as "admin", the service
|
|
account has full admin privileges on the cloud.
|
|
|
|
It is possible to change the role to "service" for some accounts but
|
|
this may have unexpected consequences for services such as Nova and
|
|
Neutron, and is therefore not recommended for inexperienced admins.
|
|
|
|
If a service account does have admin, it's advisable to closely
|
|
monitor login events for that user to ensure that it is not used
|
|
unexpectedly. In particular, pay attention to unusual IPs using the
|
|
service account.
|
|
|
|
### Contacts / References ###
|
|
Author: Travis McPeak, HPE and Brant Knudson, IBM
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0055
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1464750
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
|
|