yahoo-eng-team team mailing list archive

[Alan Pevec <1379077@xxxxxxxxxxxxxxxxxx>]

** Changed in: keystone/juno
       Status: Confirmed => Won't Fix

** Tags removed: juno-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1379077

Title:
  Tenants can be created with invalid ids

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) icehouse series:
  Won't Fix
Status in OpenStack Identity (keystone) juno series:
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  When creating a new tenant, there is an optional argument 'id' that
  may be passed:

  https://github.com/openstack/keystone/blob/9025b64a8f2bf5cf01a18453d6728e081bd2c3b9/keystone/assignment/controllers.py#L114

  If not passed, this just creates a uuid and proceeds.  If a value is
  passed, it will use that value.  So a user with priv's to create a
  tenant can pass something like "../../../../../" as the id.  If this
  is done, then the project can't be deleted without manually removing
  the value from the database. This can lead to a DoS that could fill
  the db and take down the cloud, in the worst of circumstances.

  I believe the proper fix here would be to just remove this feature
  altogether.  But this is because I'm not clear about why we would ever
  want to allow someone to set the id manually.  If there's a valid use
  case here, then we should at least do some input validation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1379077/+subscriptions