Comment 22 for bug 1121494
Revision history for this message
| Thierry Carrez (ttx) wrote Re: EC2 authentication does not ensure user or tenant is enabled | #22 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Proposed description:
----------------
Title: Keystone EC2-style authentication accepts disabled user/tenants
Reporter: $CREDIT
Products: Keystone
Affects: All versions
Description:
$CREDIT reported a vulnerability in EC2-style authentication in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated users in disabled tenants or domains) could therefore retain access rights that were thought removed. Only setups enabling EC2-style authentication are affected.
---------------
@mathrock: what do you want to appear in $CREDIT ?
@Keystone-core: Is it even possible to disable EC2-style auth to workaround this issue? If yes, how?