yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1187198] Re: V3 policy engine does not support domain isolation of roles while policy evaluation.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1187198@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Sep 2013 17:36:31 -0000
Reply-to: Bug 1187198 <1187198@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1187198

Title:
  V3 policy engine does not support domain isolation of roles while
  policy evaluation.

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  It seems while evaluating API access rights, policy engine only look
  for the roles in in coming credential (X-Auth-token) but does not
  consider domain of the target.

  
  Scenario There are 

  1. There is a role defined is system call "user_creator" and policy is setup for this role for "identity:create_domain" API.
  2. There are two domains Da and Db in system.
  3. In domain Da there is a user Ua. Ua has "user_creator" on Da domains.
  4. Ua gets token scoped to Da and hence his credential has "user_creator" role.
  5. Now Ua is using "POST /users" to create a user (support Ub) in domain Db.

  #5 should fail because in reality Ua does not have "user_creator" role
  in Db but it succeeded due to this bug.

  Note, this is true for all relevant APIs.

  Seems a security vulnerability

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1187198/+subscriptions