yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1417522] Re: a normal user can delete other user's ec2 credentials

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Tue, 07 Apr 2015 21:37:36 -0000
Reply-to: Bug 1417522 <1417522@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1417522

Title:
  a normal user can delete other user's ec2 credentials

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  When use default policy.v3cloudsample.json, a normal user can delete
  other user's ec2 credential. This is because current policy of
  identity:ec2_delete_credential is (rule:admin_or_cloud_admin or
  rule:owner) or (rule:owner and user_id:%(target.credential.user_id)s).
  Note that rule:owner is "user_id:%(user_id)s or
  user_id:%(target.token.user_id)s" which only checks if the user from
  token matchs the user from url. We also should check if the user owns
  the deleting credential.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1417522/+subscriptions

References

[Bug 1417522] [NEW] a normal user can delete other user's ec2 credentiala
From: wanghong, 2015-02-03