yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1006815] Re: [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 07 Jun 2013 15:40:47 -0000
Reply-to: Bug 1006815 <1006815@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Summary changed:

- Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token
+ [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Russell Bryant (russellb)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1006815

Title:
  [OSSA 2012-015] Admin API
  /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “keystone” package in Ubuntu:
  Fix Released
Status in “keystone” source package in Precise:
  Fix Released
Status in “keystone” source package in Quantal:
  Fix Released

Bug description:
  Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't
  validate the authentication token before returning a response.

  i.e. we can get the same result without a token in HTTP head.

  Eg:
  without a token
  jason@ubuntu:~/project/keystone$ curl http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100    72  100    72    0     0    308      0 --:--:-- --:--:-- --:--:--   346
  {
      "roles": [
          {
              "id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
              "name": "admin"
          }
      ]
  }

  with token
  jason@ubuntu:~/project/keystone$ curl -H "X-Auth-Token:ecab59a3f4e2468b9934c24f8660a809" http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100    72  100    72    0     0    242      0 --:--:-- --:--:-- --:--:--   270
  {
      "roles": [
          {
              "id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
              "name": "admin"
          }
      ]
  }

  What we expect:
  without a token
  jason@ubuntu:~/project/keystone$ curl  http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   116  100   116    0     0    848      0 --:--:-- --:--:-- --:--:--  1026
  {
      "error": {
          "code": 401,
          "message": "The request you have made requires authentication.",
          "title": "Not Authorized"
      }
  }

  Attached is a diff of the changes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1006815/+subscriptions