yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1177526] Re: 1.7.4 keystone middleware allows operator_roles to delete accounts

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Tue, 14 May 2013 19:33:49 -0000
Reply-to: Bug 1177526 <1177526@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Agreed with Chmouel in comment 9 (not a vulnerability), will open this
bug publicly tomorrow if nobody complains

** Also affects: swift
   Importance: Undecided
       Status: New

** Changed in: swift
       Status: New => Incomplete

** Changed in: keystone
       Status: Incomplete => Invalid

** Also affects: swift/essex
   Importance: Undecided
       Status: New

** No longer affects: swift/essex

** Also affects: keystone/essex
   Importance: Undecided
       Status: New

** Changed in: keystone/essex
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1177526

Title:
  1.7.4 keystone middleware allows operator_roles to delete accounts

Status in OpenStack Identity (Keystone):
  Invalid
Status in Keystone essex series:
  Incomplete
Status in OpenStack Object Storage (Swift):
  Incomplete

Bug description:
  Hi, we are using swift 1.7.4 with keystone auth, and we think we might found a bug.
  Our proxy-server.conf for kesytone is as follow :

  [filter:keystoneauth]
  use = egg:swift#keystoneauth
  operator_roles = admin, swiftoperator
  is_admin = true

  And every user that has one of the operator_roles roles, are able to
  directly delete an account despite it has or not containers/objects.

  As long as we understood, only the roles contained in
  reseller_admin_role are able to delete accounts despite there is data
  in it or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1177526/+subscriptions