OpenStack Identity (keystone)

v3 tokens with references outside the default domain can be validated on v2

Bug #1475762 reported by Dolph Mathews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Dolph Mathews
OpenStack Identity (keystone) 8.0.0 "liberty"
Kilo
Fix Released
Medium
Dolph Mathews
OpenStack Identity (keystone) 2015.1.3

Bug Description

v2 has no knowledge of multiple domains, so all ID references it sees must exist inside the default domain.

So, a v3 token being validated on v2 must have a project-scope in the default domain, a user identity in the default domain, and obviously must not be a domain-scoped token.

The current implementation of Fernet blindly returns tokens to the v2 API with (at least) project references that exist outside the default domain (I have not tested user references). The consequence is that v2 clients may end up with naming collisions (due to lack of domain namespacing).

Lance Bragstad (lbragstad)
tags: added: fernet
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/192739
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a8c57027dad13389e1aebc242e18f9e05726b349
Submitter: Jenkins
Branch: master

commit a8c57027dad13389e1aebc242e18f9e05726b349
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 17 19:33:22 2015 +0000

    Additional Fernet test coverage

    This expands existing test coverage to include Fernet tokens, a few of
    which expose a couple issues (see related bugs below).

    Change-Id: I53374d41e4e5453817b6635aee56df625073d015
    Related-Bug: 1459790
    Related-Bug: 1475762

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/208069

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote : Re: v3 Fernet tokens with references outside the default domain can be validated on v2

This turned out to be an issue with all token providers.

tags: removed: fernet
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Guang Yee (guang-yee)
Guang Yee (guang-yee)
Changed in keystone:
assignee: Guang Yee (guang-yee) → Dolph Mathews (dolph)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/208069
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c4723550aa95be403ff591dd132c9024549eff10
Submitter: Jenkins
Branch: master

commit c4723550aa95be403ff591dd132c9024549eff10
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 31 20:31:54 2015 +0000

    Validate domain ownership for v2 tokens

    The v2 API is not domain aware, and so the default domain serves to
    provide an implicit domain scope for v2 API clients. If a v3 token with
    a user (or project scope) outside the default domain is validated by the
    v2 API, the user (or project) reference may result in a collision due to
    the namespacing provided by domains.

    This patch provides validation that the references being returned to the
    v2 API are in fact in the default domain, and thus cannot result in
    namespace collisions.

    Change-Id: Ia75c260485b2cff3cd6cf5cf39c0ec715b99df10
    Closes-Bug: 1475762
    Closes-Bug: 1483382

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (stable/kilo)

Related fix proposed to branch: stable/kilo
Review: https://review.openstack.org/212947

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/213216

Dolph Mathews (dolph)
summary: - v3 Fernet tokens with references outside the default domain can be
- validated on v2
+ v3 tokens with references outside the default domain can be validated on
+ v2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/212947
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a1e20fbbb5d739b878b00638769ff81466f3a0b8
Submitter: Jenkins
Branch: stable/kilo

commit a1e20fbbb5d739b878b00638769ff81466f3a0b8
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 17 19:33:22 2015 +0000

    Additional Fernet test coverage

    This expands existing test coverage to include Fernet tokens, a few of
    which expose a couple issues (see related bugs below).

    NOTE: The config fixture in keystone/tests/unit/test_v3_auth.py L536
    needed to be revised to use a full class path, rather than the
    stevedore-based entry point loading introduced to keystone during the
    liberty release cycle.

    Change-Id: I53374d41e4e5453817b6635aee56df625073d015
    Related-Bug: 1459790
    Related-Bug: 1475762
    (cherry picked from commit a8c57027dad13389e1aebc242e18f9e05726b349)

tags: added: in-stable-kilo
Doug Hellmann (doug-hellmann)
Changed in keystone:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/213216
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9dfad21201251364c6d205e8e79813bfe78e6107
Submitter: Jenkins
Branch: stable/kilo

commit 9dfad21201251364c6d205e8e79813bfe78e6107
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 31 20:31:54 2015 +0000

    Validate domain ownership for v2 tokens

    The v2 API is not domain aware, and so the default domain serves to
    provide an implicit domain scope for v2 API clients. If a v3 token with
    a user (or project scope) outside the default domain is validated by the
    v2 API, the user (or project) reference may result in a collision due to
    the namespacing provided by domains.

    This patch provides validation that the references being returned to the
    v2 API are in fact in the default domain, and thus cannot result in
    namespace collisions.

    Conflicts:

    - keystone/tests/unit/test_v3_auth.py: A readability refactor has landed
      in master. Those changes have not been backported to stable/kilo.

    Change-Id: Ia75c260485b2cff3cd6cf5cf39c0ec715b99df10
    Depends-On: Ia7ca08bca612b4555f6b4d9098cd7db6c540b1c4
    Closes-Bug: 1475762
    Closes-Bug: 1483382
    (cherry picked from commit c4723550aa95be403ff591dd132c9024549eff10)

Thierry Carrez (ttx)
Changed in keystone:
milestone: liberty-3 → 8.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.