yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #03208
[Bug 1064914] Re: [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant
** Summary changed:
- Removing user from a tenant isn't invalidating user access to tenant
+ [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Fix Released
** Changed in: ossa
Assignee: (unassigned) => Thierry Carrez (ttx)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1064914
Title:
[OSSA-2012-018] Removing user from a tenant isn't invalidating user
access to tenant
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone essex series:
Fix Committed
Status in Keystone folsom series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Status in “keystone” package in Ubuntu:
Fix Released
Status in “keystone” source package in Quantal:
Fix Released
Bug description:
Was: (Able to access ec2 resources with out a user-role)
Steps to reproduce:
1.I have created a user,tenant and ec2 credentials using keystone and didnt associated a role
then try to run
$ euca-describe-images
Unauthorized: Failure communicating with keystone2
2.then associated a role to the user
$keystone user-role-add --user-id ee32bff3e1524a2b82fe804aac0ce682 --tenant-id cf38a72df8a14bb8984c699edfceb1c3 --role-id 26760c0f9ed045fcb70112f7b16813b3
3.then again I ran
$ euca-describe-images
IMAGE ami-00000002 None (cirros-0.3.0-x86_64-uec) 597b866b450d491f889b9432a564e9a9 available public machineaki-00000001 ari-00000003 instance-store
IMAGE ari-00000003 None (cirros-0.3.0-x86_64-uec-ramdisk) 597b866b450d491f889b9432a564e9a9 available public ramdisk instance-store
IMAGE aki-00000001 None (cirros-0.3.0-x86_64-uec-kernel) 597b866b450d491f889b9432a564e9a9 available public kernel instance-store
4.remove the user-role
keystone user-role-delete --user-id ee32bff3e1524a2b82fe804aac0ce682 --tenant-id cf38a72df8a14bb8984c699edfceb1c3 --role-id 26760c0f9ed045fcb70112f7b16813b3
5.now the user doesn't have any role associated,now again run
$ euca-describe-images
IMAGE ami-00000002 None (cirros-0.3.0-x86_64-uec) 597b866b450d491f889b9432a564e9a9 available public machineaki-00000001 ari-00000003 instance-store
IMAGE ari-00000003 None (cirros-0.3.0-x86_64-uec-ramdisk) 597b866b450d491f889b9432a564e9a9 available public ramdisk instance-store
IMAGE aki-00000001 None (cirros-0.3.0-x86_64-uec-kernel) 597b866b450d491f889b9432a564e9a9 available public kernel instance-store
here user should get the message as in step 2 but it was successful.
not sure if this is a bug with keystone or ec2.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1064914/+subscriptions