OpenStack Identity (keystone)

residual grants after delete action

Bug #1125637 reported by gordon chung
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
gordon chung
OpenStack Identity (keystone) 2013.2 "havana"
Grizzly
Fix Released
Medium
Adam Gandelman
OpenStack Identity (keystone) 2013.1.1

Bug Description

currently, if you delete a role, the grant still exists (except for user-project grant which gets cleaned up on role delete).

grant should be dropped as well to avoid possible security issues.

gordon chung (chungg)
Changed in keystone:
assignee: nobody → gordon chung (chungg)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/22008

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
tags: added: grizzly-rc-potential
Thierry Carrez (ttx)
tags: added: grizzly-backprot-potential
removed: grizzly-rc-potential
tags: added: grizzly-backport-potential
removed: grizzly-backprot-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/22008
Committed: http://github.com/openstack/keystone/commit/e16742bdf2f1fa7386f2983b037a78fde4a576c3
Submitter: Jenkins
Branch: master

commit e16742bdf2f1fa7386f2983b037a78fde4a576c3
Author: Gordon Chung <email address hidden>
Date: Thu Feb 14 19:55:00 2013 -0500

    residual grants after delete action (bug1125637)

    remove all applicable grants when role is deleted
    (sql/kvs solution only)

    Fixes: bug #1125637
    Change-Id: I3a958c6d56739e37a95f6c713fab154827e9ceca

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
Kurt Seifried (kseifried) wrote :

Are these grants still accessible in some way? I'm trying to figure out if this is security hardening or a security flaw. It appears to be security hardening, can anyone confirm it?

Revision history for this message
Adam Young (ayoung) wrote :

Yes, but the real security issue is on the enforcement side, which is based on policy. Dropping the Role does not drop the policy enforcement, which is usually of the form "user need the role R on Project Pin order to execute the method M that affect project P" so just dropping the role is not sufficient to revoke that role from all users, and will have not effect on the overall system. It is surprising, but not necessarily a security bug. Still worth fixing and probably back porting the fix.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/27978

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/grizzly)

Reviewed: https://review.openstack.org/27978
Committed: http://github.com/openstack/keystone/commit/76efb5c736c5a52fc3dee3a114279b10eb590544
Submitter: Jenkins
Branch: stable/grizzly

commit 76efb5c736c5a52fc3dee3a114279b10eb590544
Author: Gordon Chung <email address hidden>
Date: Thu Feb 14 19:55:00 2013 -0500

    residual grants after delete action (bug1125637)

    remove all applicable grants when role is deleted
    (sql/kvs solution only)

    Fixes: bug #1125637

    Change-Id: I3a958c6d56739e37a95f6c713fab154827e9ceca
    (cherry picked from commit e16742bdf2f1fa7386f2983b037a78fde4a576c3)

Adam Gandelman (gandelman-a)
tags: removed: grizzly-backport-potential
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.