trust-scoped tokens from v2 API have wrong user_id

Bug #1239303 reported by Steven Hardy on 2013-10-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Dolph Mathews
Grizzly
High
Morgan Fainberg

Bug Description

When requesting a trust scoped token via the v2 API with impersonation=True, the resulting user_id is wrong, it's the trustee not the trustor.

The problem is comparing with 'True' string instead of boolean True here:

https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L184

Steven Hardy (shardy) on 2013-10-13
Changed in keystone:
assignee: nobody → Steven Hardy (shardy)

Fix proposed to branch: master
Review: https://review.openstack.org/51448

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph) on 2013-10-13
Changed in keystone:
importance: Undecided → Medium
tags: added: grizzly-backport-potential havana-rc-potential
Changed in keystone:
assignee: Steven Hardy (shardy) → Dolph Mathews (dolph)
Thierry Carrez (ttx) on 2013-10-15
Changed in keystone:
milestone: none → havana-rc3
tags: removed: havana-rc-potential

Reviewed: https://review.openstack.org/51448
Committed: http://github.com/openstack/keystone/commit/23a10e7c4e3af8ed6bc520a25a0ba2bae8de9157
Submitter: Jenkins
Branch: master

commit 23a10e7c4e3af8ed6bc520a25a0ba2bae8de9157
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100

    Fix v2 token user ref with trust impersonation=True

    The v2 token controller incorrectly checks for a string instead
    of a boolean, which results in the wrong user ID (trustee, when
    it should be the trustor) when impersonation=True. So fix the
    comparison and tests, adding a test which illustrates the issue.

    Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096
    Closes-Bug: #1239303

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) wrote :

Preventing Heat trusts from working

Changed in keystone:
importance: Medium → High

Reviewed: https://review.openstack.org/51972
Committed: http://github.com/openstack/keystone/commit/4285b798a36a206ad420326f593525740d71d7ac
Submitter: Jenkins
Branch: milestone-proposed

commit 4285b798a36a206ad420326f593525740d71d7ac
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100

    Fix v2 token user ref with trust impersonation=True

    The v2 token controller incorrectly checks for a string instead
    of a boolean, which results in the wrong user ID (trustee, when
    it should be the trustor) when impersonation=True. So fix the
    comparison and tests, adding a test which illustrates the issue.

    Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096
    Closes-Bug: #1239303

Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc3 → 2013.2
Alan Pevec (apevec) on 2013-11-25
tags: removed: grizzly-backport-potential

Reviewed: https://review.openstack.org/51973
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8fcc18c42bde2db34e4b29236dc2e971d40f146b
Submitter: Jenkins
Branch: stable/grizzly

commit 8fcc18c42bde2db34e4b29236dc2e971d40f146b
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100

    Fix v2 token user ref with trust impersonation=True

    The v2 token controller incorrectly checks for a string instead
    of a boolean, which results in the wrong user ID (trustee, when
    it should be the trustor) when impersonation=True. So fix the
    comparison and tests, adding a test which illustrates the issue.

    This patchset also closes the gap that allows EC2 credentials to
    be issued from trust-scoped tokens, allowing privilege escalation
    since EC2 tokens have no concept of trust-scoping/role
    restrictions in the Grizzly release.

    Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096
    Closes-Bug: #1239303
    Related-Bug: #1242597

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers