yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1287219

Title:
  scope of domain admin too broad in v3 policy sample

Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  Using the policies in the new default policy.v3cloudsample.json file,
  a domain admin can easily elevate himself and become the cloud admin:

  1) Get a token of a domain admin (a user with 'admin' role on any domain other that the default domain which is the cloud admin's domain)
  2) Grant yourself the admin role on the default domain which is the domain of the cloud admin (PUT /v3/domains/default/user/<your_id_here>/roles/<admin_role_id>
  3) Change your domain_id to the id of the default domain (PATCH /v3/users/<your_id_here> -d '"{user": {"domain_id": "default"}}'
  4) Get a new token scoped to the default domain

  ==> You are now the cloud admin

  It is expected that step number 2 should fail. Admins should be able
  to grant roles only on their domain and their projects, not on other
  projects. Otherwise, it is as if they are not really scoped at all.

  NOTE: I am using the default policy.v3cloudsample.json file as is, unchanged. I only defined the domain of the cloud admins to be the default domain by editing this rule:
      "cloud_admin": "rule:admin_required and domain_id:default",

  I think that the default policy file should be changed to prevent
  administrators' ability to grant roles on objects of foreign domains
  (with the exception of admins in the domain defined by the cloud_admin
  rule, of course).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1287219/+subscriptions