yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1792047] [NEW] keystone rbacenforcer not populating policy dict with view args

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Tue, 11 Sep 2018 23:33:02 -0000
Reply-to: Bug 1792047 <1792047@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

The old @protected decorator pushed the view arguments into the
policy_dict for enforcement purposes[0]. This was missed in the new
RBACEnforcer.

[0]
https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152

** Affects: keystone
     Importance: High
     Assignee: Morgan Fainberg (mdrnstm)
         Status: In Progress

** Affects: keystone/rocky
     Importance: High
     Assignee: Morgan Fainberg (mdrnstm)
         Status: In Progress

** Affects: keystone/stein
     Importance: High
     Assignee: Morgan Fainberg (mdrnstm)
         Status: In Progress

** Changed in: keystone
   Importance: Undecided => High

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

** Also affects: keystone/rocky
   Importance: Undecided
       Status: New

** Also affects: keystone/stein
   Importance: High
     Assignee: Morgan Fainberg (mdrnstm)
       Status: Triaged

** Changed in: keystone/rocky
       Status: New => Triaged

** Changed in: keystone/rocky
   Importance: Undecided => High

** Changed in: keystone/rocky
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1792047

Title:
  keystone rbacenforcer not populating policy dict with view args

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) rocky series:
  In Progress
Status in OpenStack Identity (keystone) stein series:
  In Progress

Bug description:
  The old @protected decorator pushed the view arguments into the
  policy_dict for enforcement purposes[0]. This was missed in the new
  RBACEnforcer.

  [0]
  https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions

Follow ups

[Bug 1792047] Re: keystone rbacenforcer not populating policy dict with view args
From: OpenStack Infra, 2018-09-15