yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1475762] Re: v3 tokens with references outside the default domain can be validated on v2

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Thu, 03 Sep 2015 18:14:21 -0000
Reply-to: Bug 1475762 <1475762@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => liberty-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1475762

Title:
  v3 tokens with references outside the default domain can be validated
  on v2

Status in Keystone:
  Fix Released
Status in Keystone kilo series:
  In Progress

Bug description:
  v2 has no knowledge of multiple domains, so all ID references it sees
  must exist inside the default domain.

  So, a v3 token being validated on v2 must have a project-scope in the
  default domain, a user identity in the default domain, and obviously
  must not be a domain-scoped token.

  The current implementation of Fernet blindly returns tokens to the v2
  API with (at least) project references that exist outside the default
  domain (I have not tested user references). The consequence is that v2
  clients may end up with naming collisions (due to lack of domain
  namespacing).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1475762/+subscriptions

References

[Bug 1475762] [NEW] v3 Fernet tokens with references outside the default domain can be validated on v2
From: Dolph Mathews, 2015-07-17