yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #04915
[Bug 1187198] Re: V3 policy engine does not support domain isolation of roles while policy evaluation.
** Changed in: keystone
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1187198
Title:
V3 policy engine does not support domain isolation of roles while
policy evaluation.
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
It seems while evaluating API access rights, policy engine only look
for the roles in in coming credential (X-Auth-token) but does not
consider domain of the target.
Scenario There are
1. There is a role defined is system call "user_creator" and policy is setup for this role for "identity:create_domain" API.
2. There are two domains Da and Db in system.
3. In domain Da there is a user Ua. Ua has "user_creator" on Da domains.
4. Ua gets token scoped to Da and hence his credential has "user_creator" role.
5. Now Ua is using "POST /users" to create a user (support Ub) in domain Db.
#5 should fail because in reality Ua does not have "user_creator" role
in Db but it succeeded due to this bug.
Note, this is true for all relevant APIs.
Seems a security vulnerability
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1187198/+subscriptions