yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1872753] Re: Updating EC2 credential blob can lead to a ec2 credential id / credential id mismatch

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1872753@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Jun 2020 11:14:53 -0000
Reply-to: Bug 1872753 <1872753@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/728387
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=252c23b1b80bfbc0e9b54ac31a5b97c117cf3d77
Submitter: Zuul
Branch:    master

commit 252c23b1b80bfbc0e9b54ac31a5b97c117cf3d77
Author: Vishakha Agarwal <agarwalvishakha18@xxxxxxxxx>
Date:   Fri May 15 14:13:40 2020 +0530

    Disable EC2 credentials access_id update
    
    Without this patch user can alter EC2 credential access_id and user
    cannot use it anymore as an ec2 auth token since EC2 credential
    access ID is used to calculate an ID of the "credential" [1] and it
    doesn't update the EC2 credential ID with new access ID. This leads
    to unwanted EC2 credentials stored in database.
    
    As per the discussion of keystone team [2] we decided to block patching
    of "access_id" attribute.
    
    [1] https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/users.py#L363
    [2]http://eavesdrop.openstack.org/irclogs/%23openstack-meeting-alt/%23openstack-meeting-alt.2020-05-12.log.html#t2020-05-12T17:45:20
    
    Closes-Bug: #1872753
    Change-Id: I1f6ce3927c2881d9a2d7dcda3ccd29e0a82e45a9


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1872753

Title:
  Updating EC2 credential blob can lead to a ec2 credential id /
  credential id mismatch

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Updating ec2 credential blob field via "openstack credential set
  --data '***'" allows to update the EC2 credential access ID.
  Considering that EC2 credential access ID is used to calculate an ID
  of the "credential"
  (https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/users.py#L363,
  https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/common/utils.py#L101),
  the update action doesn't update the actual credential ID using a new
  access ID sha256sum. This can lead to invalid ec2 credentials.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872753/+subscriptions

References

[Bug 1872753] [NEW] Updating EC2 credential blob can lead to a ec2 credential id / credential id mismatch
From: kay, 2020-04-14