domain_id in User/Group/Project should be immutable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Henry Nash |
Bug Description
Today we allow the domain_id in User, Group and Project entities to be updated…
Here's a recipe for how to create this potential security hole using the v3 policy sample file:
- Have a user with role 'admin' on the domain_A (this makes them a "domain admin")
- They try and update their user entity (or any other user entity) with {'domain_id': domain_B}. This will succeed, even though the goal of the v3 policy sample file is to restrict the access for such a user is to only objects domain_A
- The user is now part of domain_B
- The above does not actually yet give the user ability to authenticate to domain_B (since they do not have a role on that domain)…but it perhaps lays the ground work for some other attack to enable that
description: | updated |
description: | updated |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-rc1 → 2014.1 |
+1
If there's a strong use case in favor of allowing mutable domain ID's, I don't think I've heard it.