yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1577558] Re: v2.0 fernet tokens audit ids are inconsistent

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Wed, 04 May 2016 16:00:42 -0000
Reply-to: Bug 1577558 <1577558@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1577558

Title:
  v2.0 fernet tokens audit ids are inconsistent

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  If you set the token provider to token.provider = fernet, get an
  unscoped token from v2.0, then rescope that token to a project, you'll
  notice the audit ids don't match. I've recreated this issue in a test
  [0].

  What should happen is that the unscoped token response will have a
  list of audit_ids containing a single audit_id. The project scoped
  token response from the unscoped token will also have a list of
  audit_ids in the token response but the original audit_id from the
  unscoped token will be in the list of the project scoped token.

  Right now this behavior doesn't exist in with the fernet provider on
  v2.0.

  
  [0] https://review.openstack.org/#/c/311816/1

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1577558/+subscriptions

References

[Bug 1577558] [NEW] v2.0 fernet tokens audit ids are inconsistent
From: Lance Bragstad, 2016-05-02