yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #36814
[Bug 1475762] Re: v3 Fernet tokens with references outside the default domain can be validated on v2
** Also affects: keystone/kilo
Importance: Undecided
Status: New
** Changed in: keystone/kilo
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1475762
Title:
v3 Fernet tokens with references outside the default domain can be
validated on v2
Status in Keystone:
Fix Committed
Status in Keystone kilo series:
New
Bug description:
v2 has no knowledge of multiple domains, so all ID references it sees
must exist inside the default domain.
So, a v3 token being validated on v2 must have a project-scope in the
default domain, a user identity in the default domain, and obviously
must not be a domain-scoped token.
The current implementation of Fernet blindly returns tokens to the v2
API with (at least) project references that exist outside the default
domain (I have not tested user references). The consequence is that v2
clients may end up with naming collisions (due to lack of domain
namespacing).
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1475762/+subscriptions
References