yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1529721] Re: Attempting a RoleCheck when the credentials do not contain a roles list causes an exception

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1529721@xxxxxxxxxxxxxxxxxx>
Date: Mon, 03 Oct 2016 18:17:05 -0000
Reply-to: Bug 1529721 <1529721@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: oslo.policy
       Status: Fix Committed => Fix Released

** Changed in: oslo.policy
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1529721

Title:
  Attempting a RoleCheck when the credentials do not contain a roles
  list causes an exception

Status in OpenStack Identity (keystone):
  Invalid
Status in oslo.policy:
  Fix Released

Bug description:
  How to reproduce this bug using keystone :

  1) Retrieve an unscoped token for any valid account.

  2) Using curl - invoke list_user_projects for the SAME user from step
  1 using the token from step 1, and observe that this works as
  expected.

  3) Alter the in-use policy file by inserting "role:service or " at the beginning of the rule for list_user_projects ...
  <     "identity:list_user_projects": "role:service or rule:admin_or_owner",
  ---
  >     "identity:list_user_projects": "rule:admin_or_owner",
  .... Note that the addition of this 'or' clause should not be able to logically cause any additional denials.

  4) Try the identical curl command from step 2 again, and observe that
  it now fails with 403 Forbidden.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1529721/+subscriptions

References

[Bug 1529721] [NEW] Policy rules can be incorrectly applied with unscoped tokens
From: Timothy Symanczyk, 2015-12-28