← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1625619] Re: It is possible to download key pair for other user at the same project

 

Removed the security tags since it's a class E (or at best class D)
according to the VMT taxonomy: https://security.openstack.org/vmt-
process.html#incident-report-taxonomy.

** Information type changed from Public Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags removed: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1625619

Title:
  It is possible to download key pair for other user at the same project

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Identity (keystone):
  New
Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Bug was reproduced in mitaka openstack release.

  Steps to reproduce:

  1. Login to horizon.
  2. Click Project-> Compute -> Access and Security
  3. Click "Key Pairs" tab
  4. Click "Create Key Pair" button, enter keypair name.
  5. On the next screen with download key dialog copy URL from browser URL field

  URL will be like
  http://server/horizon/project/access_and_security/keypairs/<my key
  pair name>/download

  6. Click cancel to close download window.
  7. Click Project->Compute->Instances.
  8. In opened window select other key pair name from KEY PAIR column (it could be key pair for different user)
  9. open new browser window, paste URL string from step 5.
  10. Change in URL <my key pair name> with name obtained from step 8 and press enter

  You will be prompted to download private key for other user.

  It isn't correct user should be able to download only his own keys

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1625619/+subscriptions