residual grants after delete action

Bug #1125637 reported by gordon chung on 2013-02-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
gordon chung
Grizzly
Medium
Adam Gandelman

Bug Description

currently, if you delete a role, the grant still exists (except for user-project grant which gets cleaned up on role delete).

grant should be dropped as well to avoid possible security issues.

gordon chung (chungg) on 2013-02-14
Changed in keystone:
assignee: nobody → gordon chung (chungg)

Fix proposed to branch: master
Review: https://review.openstack.org/22008

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph) on 2013-03-22
Changed in keystone:
importance: Undecided → Medium
tags: added: grizzly-rc-potential
Thierry Carrez (ttx) on 2013-04-02
tags: added: grizzly-backprot-potential
removed: grizzly-rc-potential
tags: added: grizzly-backport-potential
removed: grizzly-backprot-potential

Reviewed: https://review.openstack.org/22008
Committed: http://github.com/openstack/keystone/commit/e16742bdf2f1fa7386f2983b037a78fde4a576c3
Submitter: Jenkins
Branch: master

commit e16742bdf2f1fa7386f2983b037a78fde4a576c3
Author: Gordon Chung <email address hidden>
Date: Thu Feb 14 19:55:00 2013 -0500

    residual grants after delete action (bug1125637)

    remove all applicable grants when role is deleted
    (sql/kvs solution only)

    Fixes: bug #1125637
    Change-Id: I3a958c6d56739e37a95f6c713fab154827e9ceca

Changed in keystone:
status: In Progress → Fix Committed
Kurt Seifried (kseifried) wrote :

Are these grants still accessible in some way? I'm trying to figure out if this is security hardening or a security flaw. It appears to be security hardening, can anyone confirm it?

Adam Young (ayoung) wrote :

Yes, but the real security issue is on the enforcement side, which is based on policy. Dropping the Role does not drop the policy enforcement, which is usually of the form "user need the role R on Project Pin order to execute the method M that affect project P" so just dropping the role is not sufficient to revoke that role from all users, and will have not effect on the overall system. It is surprising, but not necessarily a security bug. Still worth fixing and probably back porting the fix.

Reviewed: https://review.openstack.org/27978
Committed: http://github.com/openstack/keystone/commit/76efb5c736c5a52fc3dee3a114279b10eb590544
Submitter: Jenkins
Branch: stable/grizzly

commit 76efb5c736c5a52fc3dee3a114279b10eb590544
Author: Gordon Chung <email address hidden>
Date: Thu Feb 14 19:55:00 2013 -0500

    residual grants after delete action (bug1125637)

    remove all applicable grants when role is deleted
    (sql/kvs solution only)

    Fixes: bug #1125637

    Change-Id: I3a958c6d56739e37a95f6c713fab154827e9ceca
    (cherry picked from commit e16742bdf2f1fa7386f2983b037a78fde4a576c3)

tags: removed: grizzly-backport-potential
Thierry Carrez (ttx) on 2013-05-29
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers