Opened 11 years ago

Closed 11 years ago

#90 closed (fixed)

User who created sliver can incorrectly use other user's slice cred to do any operation on slivers

Reported by: Owned by: somebody
Priority: major Milestone:
Component: AM Version: SPIRAL4
Keywords: Cc:


This test scenario uses two user accounts:

  • lnevers1
  • lnevers

The user "lnevers" binds the user "lnevers1" to a slice. User "lnevers1" gets slice credentials and creates a sliver. User "lnevers" with the lnevers1 slice credentials executes various operations which work and should not.

Here is the test sequence:

  1. As user "lnevers", used the protogeni-tests script to bind user "lnevers1" to a slice. The command executed:
    lnevers@sendaria:~/protogeni-tests$ ./ --certificate=/home/lnevers/.ssl/pgeni/encrypted.pem --sa= -n bindslice lnevers1
    Got my SA credential
    No such slice registered here:Creating new slice called bindslice
    New slice created:
    Found other user record at the SA, binding to slice ...
    Bound other user to slice at the SA
  1. User "lnevers1" gets slice credentials:
    lnevers1@sendaria:~/gcf-1.6.2$ getslicecred bindslice -o
    Result Summary: Saved slice bindslice cred to file bindslice-cred.xml
  1. User "lnevers1" creates a sliver:
    lnevers1@sendaria:~/gcf-1.6.2$ createsliver -a exobbn  bindslice exo.rspec --slicecredfile ./bindslice-cred.xml
    Result Summary: Slice expires 
    on 2012-08-05 00:00:00 UTC
    Reserved resources on  
  1. Use "lnevers" uses lnevers1 slice credentials to execute various commands, which should not work. Note the credential file is renamed "lnevers1-bindslice-cred.xml" to make this capture clearer:
    lnevers@sendaria:~/gcf-1.6.2$ -a exobbn listresources bindslice --slicecredfile ./lnevers1-bindslice-cred.xml -o
    Result Summary: Retrieved resources for slice bindslice from 1 aggregates.
    Wrote rspecs from 1 aggregates to 1 files
    Saved listresources RSpec at 'unspecified_AM_URN' to file bindslice-rspec-bbn-hn-exogeni-net-11443-orca.xml; . 
    lnevers@sendaria:~/gcf-1.6.2$ -a exobbn sliverstatus bindslice --slicecredfile ./lnevers1-bindslice-cred.xml -o
    Result Summary: Slice expires on 2012-08-05 00:00:00 UTC
    Saved sliverstatus on bindslice at AM to file bindslice-sliverstatus-bbn-hn-exogeni-net-11443-orca.json. 
    Returned status of slivers on 1 of 1 possible aggregates. 
    lnevers@sendaria:~/gcf-1.6.2$ -a exobbn renewsliver bindslice --slicecredfile ./lnevers1-bindslice-cred.xml 2012-08-04
    Result Summary: Slice expires on
     2012-08-05 00:00:00 UTC
    Renewed sliver at 
    unspecified_AM_URN ( until 
    2012-08-04T00:00:00+00:00 (UTC)

Attaching the lnevers1 slice credentials file used by lnevers.

Attachments (1)

bindslice-cred.xml (6.2 KB) - added by 11 years ago.

Download all attachments as: .zip

Change History (2)

Changed 11 years ago by

Attachment: bindslice-cred.xml added

comment:1 Changed 11 years ago by

Resolution: fixed
Status: newclosed

Closing ticket, this is not an ExoGENI error.

This problem was due to an Omni error handling problem. The test has a filename mismatch, which was not caught because Omni does not report any error when given a slice credential file name that does not exist, Omni uses the credential for the user executing the command rather than reporting.

Re-executed the procedure with the lnevers1 slice credentials file, and the proper response is given for all AM API operations, "No credential was found with appropriate privileges".

Note: See TracTickets for help on using tickets.