| 2017-11-30 21:31:24 |
Adam Young |
bug |
|
|
added bug |
| 2017-11-30 21:32:31 |
Adam Young |
bug |
|
|
added subscriber Lance Bragstad |
| 2017-11-30 21:32:59 |
Adam Young |
bug |
|
|
added subscriber Harry Rybacki |
| 2017-11-30 21:38:58 |
Adam Young |
bug |
|
|
added subscriber Henry Nash |
| 2017-11-30 21:53:08 |
Jeremy Stanley |
bug |
|
|
added subscriber Keystone Core security contacts |
| 2017-11-30 21:53:49 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2017-11-30 21:54:29 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2017-11-30 21:57:45 |
Jeremy Stanley |
description |
IN an attempt to keep the cloud sample file backwards compatible, the cloud_admin rule was modified like this:
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
This is wrong: the cloud sample is managing admin based on an admin domain, and a domain scoped token will never have is_admin_project: True in it. However, the migration path has ALL tokens tagged this way, and this will violate the security of the file.
This is not a problem yet, as the "is_admin_project" flag is going to be enforced by oslo-context, and that has not yet been integrated into the policy check in keystone. If it were, this would be a security hole.
I think this bug can be made public, but starting with it as private until it is reviewed. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
IN an attempt to keep the cloud sample file backwards compatible, the cloud_admin rule was modified like this:
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
This is wrong: the cloud sample is managing admin based on an admin domain, and a domain scoped token will never have is_admin_project: True in it. However, the migration path has ALL tokens tagged this way, and this will violate the security of the file.
This is not a problem yet, as the "is_admin_project" flag is going to be enforced by oslo-context, and that has not yet been integrated into the policy check in keystone. If it were, this would be a security hole.
I think this bug can be made public, but starting with it as private until it is reviewed. |
|
| 2017-12-01 15:30:22 |
Harry Rybacki |
bug |
|
|
added subscriber Luke Hinds |
| 2017-12-01 17:48:15 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
IN an attempt to keep the cloud sample file backwards compatible, the cloud_admin rule was modified like this:
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
This is wrong: the cloud sample is managing admin based on an admin domain, and a domain scoped token will never have is_admin_project: True in it. However, the migration path has ALL tokens tagged this way, and this will violate the security of the file.
This is not a problem yet, as the "is_admin_project" flag is going to be enforced by oslo-context, and that has not yet been integrated into the policy check in keystone. If it were, this would be a security hole.
I think this bug can be made public, but starting with it as private until it is reviewed. |
IN an attempt to keep the cloud sample file backwards compatible, the cloud_admin rule was modified like this:
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
This is wrong: the cloud sample is managing admin based on an admin domain, and a domain scoped token will never have is_admin_project: True in it. However, the migration path has ALL tokens tagged this way, and this will violate the security of the file.
This is not a problem yet, as the "is_admin_project" flag is going to be enforced by oslo-context, and that has not yet been integrated into the policy check in keystone. If it were, this would be a security hole.
I think this bug can be made public, but starting with it as private until it is reviewed. |
|
| 2017-12-01 17:48:27 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
| 2017-12-01 17:48:32 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
| 2018-01-08 20:55:37 |
Lance Bragstad |
keystone: status |
New |
Confirmed |
|
| 2018-01-08 20:55:39 |
Lance Bragstad |
keystone: importance |
Undecided |
Medium |
|
