← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1064914] Re: [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant

 

** Summary changed:

- Removing user from a tenant isn't invalidating user access to tenant
+ [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Thierry Carrez (ttx)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1064914

Title:
  [OSSA-2012-018] Removing user from a tenant isn't invalidating user
  access to tenant

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Committed
Status in Keystone folsom series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “keystone” package in Ubuntu:
  Fix Released
Status in “keystone” source package in Quantal:
  Fix Released

Bug description:
  Was: (Able to access ec2 resources with out a user-role)

  Steps to reproduce:

  1.I have created a user,tenant and ec2 credentials using keystone and didnt associated a role
  then try to run
  $ euca-describe-images
  Unauthorized: Failure communicating with keystone2

  2.then  associated a role to the user
  $keystone user-role-add --user-id ee32bff3e1524a2b82fe804aac0ce682 --tenant-id cf38a72df8a14bb8984c699edfceb1c3 --role-id 26760c0f9ed045fcb70112f7b16813b3

  3.then again I ran
  $ euca-describe-images
  IMAGE	ami-00000002	None (cirros-0.3.0-x86_64-uec)	597b866b450d491f889b9432a564e9a9	available	public			machineaki-00000001	ari-00000003		instance-store
  IMAGE	ari-00000003	None (cirros-0.3.0-x86_64-uec-ramdisk)	597b866b450d491f889b9432a564e9a9	available	public			ramdisk				instance-store
  IMAGE	aki-00000001	None (cirros-0.3.0-x86_64-uec-kernel)	597b866b450d491f889b9432a564e9a9	available	public			kernel				instance-store

  4.remove the user-role
  keystone user-role-delete --user-id ee32bff3e1524a2b82fe804aac0ce682 --tenant-id cf38a72df8a14bb8984c699edfceb1c3 --role-id 26760c0f9ed045fcb70112f7b16813b3

  5.now the user doesn't have any role associated,now again run
   $ euca-describe-images
  IMAGE	ami-00000002	None (cirros-0.3.0-x86_64-uec)	597b866b450d491f889b9432a564e9a9	available	public			machineaki-00000001	ari-00000003		instance-store
  IMAGE	ari-00000003	None (cirros-0.3.0-x86_64-uec-ramdisk)	597b866b450d491f889b9432a564e9a9	available	public			ramdisk				instance-store
  IMAGE	aki-00000001	None (cirros-0.3.0-x86_64-uec-kernel)	597b866b450d491f889b9432a564e9a9	available	public			kernel				instance-store

  here user should get the message as in step 2 but it was successful.

  not sure if this is a bug with keystone or ec2.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1064914/+subscriptions