yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1417366] [NEW] a normal user can get other user's ec2credential

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: wanghong <w.wanghong@xxxxxxxxxx>
Date: Tue, 03 Feb 2015 03:42:54 -0000
Reply-to: Bug 1417366 <1417366@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

https://github.com/openstack/keystone/blob/master/etc/policy.json#L65
Note that owner is only check if the user owns the passed token. In fact, we should also check if the user owns the credential. The correct policy should be the one ec2_delete_credential uses:
https://github.com/openstack/keystone/blob/master/etc/policy.json#L68

** Affects: keystone
     Importance: Undecided
     Assignee: wanghong (w-wanghong)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => wanghong (w-wanghong)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1417366

Title:
  a normal user can get other user's ec2credential

Status in OpenStack Identity (Keystone):
  New

Bug description:
  https://github.com/openstack/keystone/blob/master/etc/policy.json#L65
  Note that owner is only check if the user owns the passed token. In fact, we should also check if the user owns the credential. The correct policy should be the one ec2_delete_credential uses:
  https://github.com/openstack/keystone/blob/master/etc/policy.json#L68

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1417366/+subscriptions

Follow ups

[Bug 1417366] Re: a normal user can get other user's ec2credential
From: Thierry Carrez, 2015-04-07
[Bug 1417366] [NEW] a normal user can get other user's ec2credential
From: wanghong, 2015-02-03

References

[Bug 1417366] [NEW] a normal user can get other user's ec2credential
From: wanghong, 2015-02-03