yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #15145
[Bug 890411] Re: Tenant role conflicts/overlaps can be a security issue
This stems from a design decision, and isn't really a bug. This is more
of a lack of a feature. This should be written up as a specification:
https://git.openstack.org/cgit/openstack/keystone-specs and treated like
a new feature. Marking this bug as "wont fix"
** Changed in: keystone
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/890411
Title:
Tenant role conflicts/overlaps can be a security issue
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
During the validate token call all the tenant roles (associated with
the tenant scoped token) are returned to the middle-ware component and
then passed along in the X_ROLES header to the OS service for
consumption. In the case were more than one OS service are bound to
the same tenant (e.g. Swift and Nova, or Nova 1 and Nova 2), a user
with particular role for one service, lets just say the 'Admin' role
will now also have the 'Admin' role in the second service. This is
because roles are currently only scoped to the tenant level. The
middle-ware just takes all returned tenant roles and stuffs them into
the X_ROLES header regardless of the actual service the middle-ware is
protecting. A quick fix to this problem would be to change the
validate token interfaces (GET/HEAD /tokens/{tokenId}) to require a
{serviceId} filter... so something like GET
/tokens/{tokenId}?serviceId={serviceId}. The Keystone service would
then only return roles in the response that are tied to that specific
serviceId. If the serviceId was not provided, or was invalid, or no
roles where found for that serviceId, then a 401 would be returned.
Future Keystone work could consider allowing to filter down to the
{endpointId}, but for such a change it would require a data model
change to allow serviceIds to be defined on endpoint references....
Not to mention more API changes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/890411/+subscriptions