1.7.4 keystone middleware allows operator_roles to delete accounts
Bug #1177526 reported by
Alejandro Comisario
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Essex |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Chmouel Boudjnah |
Bug Description
Hi, we are using swift 1.7.4 with keystone auth, and we think we might found a bug.
Our proxy-server.conf for kesytone is as follow :
[filter:
use = egg:swift#
operator_roles = admin, swiftoperator
is_admin = true
And every user that has one of the operator_roles roles, are able to directly delete an account despite it has or not containers/objects.
As long as we understood, only the roles contained in reseller_admin_role are able to delete accounts despite there is data in it or not.
information type: | Private Security → Public Security |
Changed in swift: | |
status: | New → Incomplete |
information type: | Public Security → Public |
Changed in swift: | |
milestone: | none → 1.9.1 |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I'm not sure I would count that as a vulnerability...
Let's see what the Swift devs say about it, it might just be a misconception due to lack of documentation.