yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1177526] [NEW] 1.7.4 keystone middleware allows operator_roles to delete accounts

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1177526@xxxxxxxxxxxxxxxxxx>
Date: Tue, 14 May 2013 07:41:06 -0000
Reply-to: Bug 1177526 <1177526@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

Hi, we are using swift 1.7.4 with keystone auth, and we think we might found a bug.
Our proxy-server.conf for kesytone is as follow :

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator
is_admin = true

And every user that has one of the operator_roles roles, are able to
directly delete an account despite it has or not containers/objects.

As long as we understood, only the roles contained in
reseller_admin_role are able to delete accounts despite there is data in
it or not.

** Affects: keystone
     Importance: Undecided
         Status: Incomplete


** Tags: folsom keystone
-- 
1.7.4 keystone middleware allows operator_roles to delete accounts
https://bugs.launchpad.net/bugs/1177526
You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone.