yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1177526] Re: 1.7.4 keystone middleware allows operator_roles to delete accounts

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 07 Aug 2013 16:53:01 -0000
Reply-to: Bug 1177526 <1177526@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: swift
       Status: Fix Committed => Fix Released

** Changed in: swift
    Milestone: None => 1.9.1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1177526

Title:
  1.7.4 keystone middleware allows operator_roles to delete accounts

Status in OpenStack Identity (Keystone):
  Invalid
Status in Keystone essex series:
  Incomplete
Status in OpenStack Object Storage (Swift):
  Fix Released

Bug description:
  Hi, we are using swift 1.7.4 with keystone auth, and we think we might found a bug.
  Our proxy-server.conf for kesytone is as follow :

  [filter:keystoneauth]
  use = egg:swift#keystoneauth
  operator_roles = admin, swiftoperator
  is_admin = true

  And every user that has one of the operator_roles roles, are able to
  directly delete an account despite it has or not containers/objects.

  As long as we understood, only the roles contained in
  reseller_admin_role are able to delete accounts despite there is data
  in it or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1177526/+subscriptions