← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #65770

[Bug 1703369] Re: get_identity_providers policy should be singular

  Thread PreviousDate PreviousThread Next 
To recap the conversation and summarize what was discuss in IRC [0].

There is a security issue if a deployer modifies the default policy role
required for an operation but wishes to keep the
identity:get_identity_providers protected at the "admin-level". This was
deemed as unlikely since the default and get_identity_provider were
protected with the same admin_required rule.

For the sake of process, we can merge the proposed fix [1] with a
detailed release note explaining the case. After that we can propose the
patch to stable/ocata as well as stable/newton. Even though a deployer
can technically issue this fix without a new release, the process of
issuing a release note seems valuable at least for the sake of process.


[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-07-11.log.html#t2017-07-11T21:26:46
[1] https://review.openstack.org/#/c/482142/

** Also affects: keystone/newton
   Importance: Undecided
       Status: New

** Also affects: keystone/ocata
   Importance: Undecided
       Status: New

** Changed in: keystone
    Milestone: None => pike-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1703369

Title:
  get_identity_providers policy should be singular

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) newton series:
  New
Status in OpenStack Identity (keystone) ocata series:
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  identity:get_identity_providers should be
  identity:get_identity_provider (singular) since a GET is targeted on a
  single provider and the code is setup to check for
  identity:get_identity_provider (singular). See
  https://github.com/openstack/keystone/blob/c7e29560b7bf7a44e44722eea0645bf18ad56af3/keystone/federation/controllers.py#L112

  found in master (pike)

  The ocata default policy.json also has this problem. Unless someone
  manually overrode policy to specify identity:get_identity_provider
  (singular), the result would be that the default rule was actually
  used for that check instead of identity:get_identity_providers. We
  could go back and fix the default policy.json for past releases, but
  the default actually has the same value as
  identity:get_identity_providers, and if nobody has complained it's
  probably safer to just leave it. It is, after all, just defaults there
  and anyone can override by specifying the correct value.

  But we must fix in pike to go along with the shift of policy into
  code. Policy defaults in code definitely need to match up with what
  the code actually checks. There should no longer be any reliance on
  the default rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1703369/+subscriptions

References

  Thread PreviousDate PreviousThread Next