yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #57137
[Bug 1625619] Re: It is possible to download key pair for other user at the same project
Removed the security tags since it's a class E (or at best class D)
according to the VMT taxonomy: https://security.openstack.org/vmt-
process.html#incident-report-taxonomy.
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags removed: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1625619
Title:
It is possible to download key pair for other user at the same project
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Identity (keystone):
New
Status in OpenStack Compute (nova):
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Bug was reproduced in mitaka openstack release.
Steps to reproduce:
1. Login to horizon.
2. Click Project-> Compute -> Access and Security
3. Click "Key Pairs" tab
4. Click "Create Key Pair" button, enter keypair name.
5. On the next screen with download key dialog copy URL from browser URL field
URL will be like
http://server/horizon/project/access_and_security/keypairs/<my key
pair name>/download
6. Click cancel to close download window.
7. Click Project->Compute->Instances.
8. In opened window select other key pair name from KEY PAIR column (it could be key pair for different user)
9. open new browser window, paste URL string from step 5.
10. Change in URL <my key pair name> with name obtained from step 8 and press enter
You will be prompted to download private key for other user.
It isn't correct user should be able to download only his own keys
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1625619/+subscriptions
