Attempting a RoleCheck when the credentials do not contain a roles list causes an exception
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Timothy Symanczyk | ||
oslo.policy |
Fix Released
|
Medium
|
Timothy Symanczyk |
Bug Description
How to reproduce this bug using keystone :
1) Retrieve an unscoped token for any valid account.
2) Using curl - invoke list_user_projects for the SAME user from step 1 using the token from step 1, and observe that this works as expected.
3) Alter the in-use policy file by inserting "role:service or " at the beginning of the rule for list_user_projects ...
< "identity:
---
> "identity:
.... Note that the addition of this 'or' clause should not be able to logically cause any additional denials.
4) Try the identical curl command from step 2 again, and observe that it now fails with 403 Forbidden.
Changed in keystone: | |
assignee: | nobody → Timothy Symanczyk (timothy-symanczyk) |
Changed in keystone: | |
status: | New → Invalid |
Changed in oslo.policy: | |
assignee: | nobody → Timothy Symanczyk (timothy-symanczyk) |
summary: |
- Policy rules can be incorrectly applied with unscoped tokens + Attempting a RoleCheck when the credentials do not contain a roles list + causes an exception |
description: | updated |
Changed in oslo.policy: | |
status: | New → In Progress |
Changed in oslo.policy: | |
status: | In Progress → Fix Committed |
Changed in oslo.policy: | |
status: | Fix Committed → Fix Released |
importance: | Undecided → Medium |
My proposed fix https:/ /review. openstack. org/#/c/ 262329/ 2
Includes a new unit test that will crash without the fix.