yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1291393

Title:
  domain_id in User/Group/Project should be immutable

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  Today we allow the domain_id in User, Group and Project entities to be
  updated….effectively moving the entity between domains.  With today's
  policy capability this represents a potential security hole if you are
  trying to enforce strict domain admin type of roles.  We should allow
  a cloud provider to disable this current update ability…and make the
  domain_id attribute immutable in the same way we do for the id of the
  entity.

  Here's a recipe for how to create this potential security hole using the v3 policy sample file:
  - Have a user with role 'admin' on the domain_A (this makes them a "domain admin")
  - They try and update their user entity (or any other user entity) with {'domain_id': domain_B}.  This will succeed, even though the goal of the v3 policy sample file is to restrict the access for such a user is to only objects domain_A
  - The user is now part of domain_B
  - The above does not actually yet give the user ability to authenticate to domain_B (since they do not have a role on that domain)…but it perhaps lays the ground work for some other attack to enable that

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1291393/+subscriptions