yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #27557
[Bug 1417522] [NEW] a normal user can delete other user's ec2 credentiala
Public bug reported:
When use default policy.v3cloudsample.json, a normal user can delete
other user's ec2 credential. This is because current policy of
identity:ec2_delete_credential is (rule:admin_or_cloud_admin or
rule:owner) or (rule:owner and user_id:%(target.credential.user_id)s).
Note that rule:owner is "user_id:%(user_id)s or
user_id:%(target.token.user_id)s" which only checks if the user from
token matchs the user from url. We also should check if the user owns
the deleting credential.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1417522
Title:
a normal user can delete other user's ec2 credentiala
Status in OpenStack Identity (Keystone):
New
Bug description:
When use default policy.v3cloudsample.json, a normal user can delete
other user's ec2 credential. This is because current policy of
identity:ec2_delete_credential is (rule:admin_or_cloud_admin or
rule:owner) or (rule:owner and user_id:%(target.credential.user_id)s).
Note that rule:owner is "user_id:%(user_id)s or
user_id:%(target.token.user_id)s" which only checks if the user from
token matchs the user from url. We also should check if the user owns
the deleting credential.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1417522/+subscriptions
Follow ups
References