commit 8fcc18c42bde2db34e4b29236dc2e971d40f146b
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100
Fix v2 token user ref with trust impersonation=True
The v2 token controller incorrectly checks for a string instead
of a boolean, which results in the wrong user ID (trustee, when
it should be the trustor) when impersonation=True. So fix the
comparison and tests, adding a test which illustrates the issue.
This patchset also closes the gap that allows EC2 credentials to
be issued from trust-scoped tokens, allowing privilege escalation
since EC2 tokens have no concept of trust-scoping/role
restrictions in the Grizzly release.
Reviewed: https:/ /review. openstack. org/51973 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=8fcc18c42bd e2db34e4b29236d c2e971d40f146b
Committed: https:/
Submitter: Jenkins
Branch: stable/grizzly
commit 8fcc18c42bde2db 34e4b29236dc2e9 71d40f146b
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100
Fix v2 token user ref with trust impersonation=True
The v2 token controller incorrectly checks for a string instead
of a boolean, which results in the wrong user ID (trustee, when
it should be the trustor) when impersonation=True. So fix the
comparison and tests, adding a test which illustrates the issue.
This patchset also closes the gap that allows EC2 credentials to
be issued from trust-scoped tokens, allowing privilege escalation
since EC2 tokens have no concept of trust-scoping/role
restrictions in the Grizzly release.
Change-Id: Ic94f30f2354c9f da20531bb598387 368fde8a096
Closes-Bug: #1239303
Related-Bug: #1242597