Opened 12 years ago
Closed 12 years ago
#90 closed (fixed)
User who created sliver can incorrectly use other user's slice cred to do any operation on slivers
Reported by: | lnevers@bbn.com | Owned by: | somebody |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | AM | Version: | SPIRAL4 |
Keywords: | Cc: | ||
Dependencies: |
Description
This test scenario uses two user accounts:
- lnevers1 urn:publicid:IDN+pgeni.gpolab.bbn.com+user+lnevers1
- lnevers urn:publicid:IDN+pgeni.gpolab.bbn.com+user+lnevers
The user "lnevers" binds the user "lnevers1" to a slice. User "lnevers1" gets slice credentials and creates a sliver. User "lnevers" with the lnevers1 slice credentials executes various operations which work and should not.
Here is the test sequence:
- As user "lnevers", used the protogeni-tests script registerslice.py to bind user "lnevers1" to a slice. The command executed:
lnevers@sendaria:~/protogeni-tests$ ./registerslice.py --certificate=/home/lnevers/.ssl/pgeni/encrypted.pem --sa=https://www.pgeni.gpolab.bbn.com:443/protogeni/xmlrpc/sa -n bindslice lnevers1 Got my SA credential No such slice registered here:Creating new slice called bindslice New slice created: urn:publicid:IDN+emulab.net+slice+bindslice Found other user record at the SA, binding to slice ... Bound other user to slice at the SA
- User "lnevers1" gets slice credentials:
lnevers1@sendaria:~/gcf-1.6.2$ omni.py getslicecred bindslice -o Result Summary: Saved slice bindslice cred to file bindslice-cred.xml
- User "lnevers1" creates a sliver:
lnevers1@sendaria:~/gcf-1.6.2$ omni.py createsliver -a exobbn bindslice exo.rspec --slicecredfile ./bindslice-cred.xml Result Summary: Slice urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+bindslice expires on 2012-08-05 00:00:00 UTC Reserved resources on https://bbn-hn.exogeni.net:11443/orca/xmlrpc.
- Use "lnevers" uses lnevers1 slice credentials to execute various commands, which should not work. Note the credential file is renamed "lnevers1-bindslice-cred.xml" to make this capture clearer:
lnevers@sendaria:~/gcf-1.6.2$ omni.py -a exobbn listresources bindslice --slicecredfile ./lnevers1-bindslice-cred.xml -o Result Summary: Retrieved resources for slice bindslice from 1 aggregates. Wrote rspecs from 1 aggregates to 1 files Saved listresources RSpec at 'unspecified_AM_URN' to file bindslice-rspec-bbn-hn-exogeni-net-11443-orca.xml; . lnevers@sendaria:~/gcf-1.6.2$ omni.py -a exobbn sliverstatus bindslice --slicecredfile ./lnevers1-bindslice-cred.xml -o Result Summary: Slice urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+bindslice expires on 2012-08-05 00:00:00 UTC Saved sliverstatus on bindslice at AM https://bbn-hn.exogeni.net:11443/orca/xmlrpc to file bindslice-sliverstatus-bbn-hn-exogeni-net-11443-orca.json. Returned status of slivers on 1 of 1 possible aggregates. lnevers@sendaria:~/gcf-1.6.2$ omni.py -a exobbn renewsliver bindslice --slicecredfile ./lnevers1-bindslice-cred.xml 2012-08-04 Result Summary: Slice urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+bindslice expires on 2012-08-05 00:00:00 UTC Renewed sliver urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+bindslice at unspecified_AM_URN (https://bbn-hn.exogeni.net:11443/orca/xmlrpc) until 2012-08-04T00:00:00+00:00 (UTC)
Attaching the lnevers1 slice credentials file used by lnevers.
Attachments (1)
Change History (2)
Changed 12 years ago by
Attachment: | bindslice-cred.xml added |
---|
comment:1 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
Closing ticket, this is not an ExoGENI error.
This problem was due to an Omni error handling problem. The test has a filename mismatch, which was not caught because Omni does not report any error when given a slice credential file name that does not exist, Omni uses the credential for the user executing the command rather than reporting.
Re-executed the procedure with the lnevers1 slice credentials file, and the proper response is given for all AM API operations, "No credential was found with appropriate privileges".