OpenStack Identity (keystone)

oauth controller calls are not protected

Bug #1231709 reported by Steve Martinelli on 2013-09-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Steve Martinelli	OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

It's open season for the oauth controllers, and anyone can call anything they want.
None of the controllers are protected. The policy.json file needs to be updated accordingly.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-26: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/48534

Changed in keystone:
assignee:	nobody → Steve Martinelli (stevemar)
status:	New → In Progress

Dolph Mathews (dolph) on 2013-09-26

Changed in keystone:
milestone:	none → havana-rc1
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-28: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/48534
Committed: http://github.com/openstack/keystone/commit/65f292144f2b8569c64d3fd479863d58d475fec9
Submitter: Jenkins
Branch: master

commit 65f292144f2b8569c64d3fd479863d58d475fec9
Author: Steve Martinelli <email address hidden>
Date: Thu Sep 26 17:03:24 2013 -0500

Protect oauth controller calls and update policy.json

    We need to call controller.protected for most of the oauth_calls.
    With the exception of the public ones (create_request_token,
    create_access_token, and authenticate_access_token).
    Also need to update the policy.json accordingly.

fixes bug 1231709

Change-Id: Ica111aa3ed82499d2de50d472754a0b5b3c5cc71