OpenStack Identity (keystone)

a normal user can delete other user's ec2 credentials

Bug #1417522 reported by wanghong on 2015-02-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	wanghong	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

When use default policy.v3cloudsample.json, a normal user can delete other user's ec2 credential. This is because current policy of identity:ec2_delete_credential is (rule:admin_or_cloud_admin or rule:owner) or (rule:owner and user_id:%(target.credential.user_id)s). Note that rule:owner is "user_id:%(user_id)s or user_id:%(target.token.user_id)s" which only checks if the user from token matchs the user from url. We also should check if the user owns the deleting credential.

wanghong (w-wanghong) on 2015-02-03

Changed in keystone:
assignee:	nobody → wanghong (w-wanghong)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-03: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/152477

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-15: Change abandoned on keystone (master)

Change abandoned by wanghong (<email address hidden>) on branch: master
Review: https://review.openstack.org/152477

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-03-10: Re: a normal user can delete other user's ec2 credentiala

The fix is probably on https://review.openstack.org/#/c/152444/

Lance Bragstad (lbragstad) on 2015-03-19

summary:	- a normal user can delete other user's ec2 credentiala + a normal user can delete other user's ec2 credentials
Changed in keystone:
milestone:	none → kilo-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-24: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/152444
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7b4a81fb3ded30beee9f84ebff640d8f0263ecce
Submitter: Jenkins
Branch: master

commit 7b4a81fb3ded30beee9f84ebff640d8f0263ecce
Author: wanghong <email address hidden>
Date: Tue Feb 3 17:36:05 2015 +0800

make credential policy check ownership of credential

    Currently, policy.json and policy.v3cloudsample.json only check if
    the user from token matchs the user from url. However, we should
    also check if the user owns the credential.

    Change-Id: I5c8bbb6736b028d6cb693d2a35e018f28caeaa57
    Closes-Bug: #1417366
    Closes-Bug: #1417522

Changed in keystone:
status:	In Progress → Fix Committed

Morgan Fainberg (mdrnstm) on 2015-03-25

Changed in keystone:
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2015-04-07

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-rc1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.