[OSSA 2013-028] Removing role adds role with LDAP backend
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Brant Knudson | ||
Grizzly |
Fix Released
|
Critical
|
Brant Knudson | ||
Havana |
Fix Released
|
Critical
|
Brant Knudson | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Thierry Carrez |
Bug Description
Using the LDAP assignment backend, if you attempt to remove a role from a user on a tenant and the user doesn't have that role on the tenant then the user is actually granted the role on the tenant. Also, the role must not have been granted to anyone on the tenant before.
To recreate
0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_
In localrc,
enable_service ldap
KEYSTONE_
KEYSTONE_
1) set up environment with OS_USERNAME=admin
export OS_USERNAME=admin
...
2) Create a new user, give admin role, list roles:
$ keystone user-create --name blktest1 --pass blkpwd
+------
| Property | Value |
+------
| email | |
| enabled | True |
| id | 3b71182dc36e45c
| name | blktest1 |
+------
$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
+------
3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up):
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- Expected to fail with 404, but it doesn't!
4) List roles as that user:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
| afe23e7955704cc
+------
- Expected to not include the role that was just removed!
5) Remove the role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- No errors, which I guess is expected since list just said they had the role...
6) List roles, and now it's gone:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
+------
7) Remove role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c
- Strangely says user not found rather than role not assigned.
CVE References
Changed in keystone: | |
assignee: | nobody → Brant Knudson (blk-u) |
tags: | added: havana-backport-potential |
description: | updated |
Changed in keystone: | |
importance: | Undecided → Critical |
information type: | Public → Public Security |
Changed in keystone: | |
assignee: | Brant Knudson (blk-u) → Dolph Mathews (dolph) |
Changed in ossa: | |
status: | New → Incomplete |
Changed in keystone: | |
assignee: | Dolph Mathews (dolph) → Brant Knudson (blk-u) |
tags: | added: grizzly-backport-potential |
tags: | removed: grizzly-backport-potential havana-backport-potential |
Changed in keystone: | |
milestone: | none → icehouse-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-1 → 2014.1 |
Related fix proposed to branch: master /review. openstack. org/53010
Review: https:/