Claiming any existing composite resources would break multi tenancy and lead to security issue

### URL

https://docs.crossplane.io/v1.16/concepts/claims/#claiming-existing-composite-resources

### What's Wrong?

The existing wording in the documentation implicitly tells that an existing composite resource can be claimed in any namespace just by referencing its name. This would be an important threat scenario to add to https://github.com/crossplane/crossplane/blob/master/security/ADA-security-audit-23.pdf section "Crossplane Claims" page 10

Doc should detail that there is a protection mechanism in place to maintain multi-tenancy :
- https://github.com/phisco/crossplane/blob/ec5a09fe5a518a431446578375f1853b93c66949/internal/controller/apiextensions/claim/reconciler.go#L370-L386
   > Return early if the claim references an XR that doesn't reference it.
- https://github.com/phisco/crossplane/blob/ec5a09fe5a518a431446578375f1853b93c66949/internal/controller/apiextensions/claim/reconciler_test.go#L177-L204
   > The reconcile should fail if the referenced XR is bound to another claim

https://github.com/crossplane/crossplane/issues/5423 `Multiple claims on a single composite resource`
> I'm unable to make multiple claims on the same CompositeResource object, whichever Claim object grabs it first wins.

Also doc should be detail whether a claim is vulnerable to a race condition attacks:
- an attacker tries to take over an existing composite when a claim is being deleted
- an attacker tries to take over an composite being created 

#### Threat scenario if doc is correct

Given a platform consumer using namespaces to distinguish different roles (e.g. prod vs non-prod)

Given actor-1 in namespace-prod provisions "prod-confidential-db" claim, and writes confidential to it. Let's call `prod-composite-1` the name of the associated composite object.

Given actor-2 learns or guesses the name of the `prod-composite-1` resource, and creates a claim using resourceRef in namespace `non-prod`

```yaml {label="resourceref",copy-lines="none"}
apiVersion: example.org/v1alpha1
kind: database
metadata:
  name: claiming-another-team-database
spec:
  resourceRef:
    apiVersion: example.org/v1alpha1
    kind: XMyDatabase
    name: prod-composite-1
```

Then, a connection secret in the namespace would provide access to the production database from the `non-prod` namespace

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!