yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1186059] Re: A Keystone user can't perform revoke_token operation due to absence of target in context

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 04 Dec 2013 09:29:07 -0000
Reply-to: Bug 1186059 <1186059@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => icehouse-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1186059

Title:
  A Keystone user can't perform  revoke_token operation due to absence
  of target in context

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  The default policy file which comes with keystone has "["user_id:%(user_id)s"]" rule define for "identity:revoke_token" API, but to trigger this rule the user_id should be the target. 
  For all the below listed APIs there is not target set, the way it happens for API like "GET /users/{user_id}", in this case "["user_id:%(user_id)s"]" rule never triggered and hence a legitimate user can not perform below operations for his own token.   

  identity:check_token
  identity:validate_token
  identity:revoke_token

  This issue can lead to a security vulnerability because token will
  stay active till its life.

  Fix: In my opinion we should use "X-Subject-Token" which is coming in
  the header to derive the target for auth check.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1186059/+subscriptions