OpenStack Identity (keystone)

trust-scoped tokens from v2 API have wrong user_id

Bug #1239303 reported by Steven Hardy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Dolph Mathews
OpenStack Identity (keystone) 2013.2 "havana"
Grizzly
Fix Released
High
Morgan Fainberg
OpenStack Identity (keystone) 2013.1.5

Bug Description

When requesting a trust scoped token via the v2 API with impersonation=True, the resulting user_id is wrong, it's the trustee not the trustor.

The problem is comparing with 'True' string instead of boolean True here:

https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L184

Steven Hardy (shardy)
Changed in keystone:
assignee: nobody → Steven Hardy (shardy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/51448

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
tags: added: grizzly-backport-potential havana-rc-potential
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Steven Hardy (shardy) → Dolph Mathews (dolph)
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → havana-rc3
tags: removed: havana-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/51448
Committed: http://github.com/openstack/keystone/commit/23a10e7c4e3af8ed6bc520a25a0ba2bae8de9157
Submitter: Jenkins
Branch: master

commit 23a10e7c4e3af8ed6bc520a25a0ba2bae8de9157
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100

    Fix v2 token user ref with trust impersonation=True

    The v2 token controller incorrectly checks for a string instead
    of a boolean, which results in the wrong user ID (trustee, when
    it should be the trustor) when impersonation=True. So fix the
    comparison and tests, adding a test which illustrates the issue.

    Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096
    Closes-Bug: #1239303

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/51972

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/51973

Revision history for this message
Thierry Carrez (ttx) wrote :

Preventing Heat trusts from working

Changed in keystone:
importance: Medium → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (milestone-proposed)

Reviewed: https://review.openstack.org/51972
Committed: http://github.com/openstack/keystone/commit/4285b798a36a206ad420326f593525740d71d7ac
Submitter: Jenkins
Branch: milestone-proposed

commit 4285b798a36a206ad420326f593525740d71d7ac
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100

    Fix v2 token user ref with trust impersonation=True

    The v2 token controller incorrectly checks for a string instead
    of a boolean, which results in the wrong user ID (trustee, when
    it should be the trustor) when impersonation=True. So fix the
    comparison and tests, adding a test which illustrates the issue.

    Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096
    Closes-Bug: #1239303

Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-rc3 → 2013.2
Alan Pevec (apevec)
tags: removed: grizzly-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/grizzly)

Reviewed: https://review.openstack.org/51973
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8fcc18c42bde2db34e4b29236dc2e971d40f146b
Submitter: Jenkins
Branch: stable/grizzly

commit 8fcc18c42bde2db34e4b29236dc2e971d40f146b
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100

    Fix v2 token user ref with trust impersonation=True

    The v2 token controller incorrectly checks for a string instead
    of a boolean, which results in the wrong user ID (trustee, when
    it should be the trustor) when impersonation=True. So fix the
    comparison and tests, adding a test which illustrates the issue.

    This patchset also closes the gap that allows EC2 credentials to
    be issued from trust-scoped tokens, allowing privilege escalation
    since EC2 tokens have no concept of trust-scoping/role
    restrictions in the Grizzly release.

    Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096
    Closes-Bug: #1239303
    Related-Bug: #1242597

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.