yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2109693] [NEW] User with the admin role can view the secret key of other user's EC2 credentials.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: LeeChunghwan <2109693@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Apr 2025 12:10:36 -0000
Reply-to: Bug 2109693 <2109693@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

User with the admin role can view the secret key of other user's EC2 credential, even if it does not belong to the user.
I think that even user with admin role should be prevented from viewing the secret key of other user's EC2 credential and the secret key of other user's EC2 credential should be encrypted or masked.

** Affects: keystone
Importance: Undecided
Assignee: LeeChunghwan (chung00lee)
Status: New

** Changed in: keystone
Assignee: (unassigned) => LeeChunghwan (chung00lee)

** Summary changed:

- User with the admin role can view the secret key of all users' EC2 credentials.
+ User with the admin role can view the secret key of other user's EC2 credentials.

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2109693

Title:
User with the admin role can view the secret key of other user's EC2
credentials.

Status in OpenStack Identity (keystone):
New

Bug description:
User with the admin role can view the secret key of other user's EC2 credential, even if it does not belong to the user.
I think that even user with admin role should be prevented from viewing the secret key of other user's EC2 credential and the secret key of other user's EC2 credential should be encrypted or masked.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2109693/+subscriptions