yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1417366] Re: a normal user can get other user's ec2credential

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Tue, 07 Apr 2015 21:37:32 -0000
Reply-to: Bug 1417366 <1417366@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1417366

Title:
  a normal user can get other user's ec2credential

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  https://github.com/openstack/keystone/blob/master/etc/policy.json#L65
  Note that owner is only check if the user owns the passed token. In fact, we should also check if the user owns the credential. The correct policy should be the one ec2_delete_credential uses:
  https://github.com/openstack/keystone/blob/master/etc/policy.json#L68

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1417366/+subscriptions

References

[Bug 1417366] [NEW] a normal user can get other user's ec2credential
From: wanghong, 2015-02-03