v3 tokens with references outside the default domain can be validated on v2
Bug #1475762 reported by
Dolph Mathews
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Dolph Mathews | ||
Kilo |
Fix Released
|
Medium
|
Dolph Mathews |
Bug Description
v2 has no knowledge of multiple domains, so all ID references it sees must exist inside the default domain.
So, a v3 token being validated on v2 must have a project-scope in the default domain, a user identity in the default domain, and obviously must not be a domain-scoped token.
The current implementation of Fernet blindly returns tokens to the v2 API with (at least) project references that exist outside the default domain (I have not tested user references). The consequence is that v2 clients may end up with naming collisions (due to lack of domain namespacing).
tags: | added: fernet |
Changed in keystone: | |
assignee: | Dolph Mathews (dolph) → Guang Yee (guang-yee) |
Changed in keystone: | |
assignee: | Guang Yee (guang-yee) → Dolph Mathews (dolph) |
summary: |
- v3 Fernet tokens with references outside the default domain can be - validated on v2 + v3 tokens with references outside the default domain can be validated on + v2 |
Changed in keystone: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-3 → 8.0.0 |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/192739 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=a8c57027dad 13389e1aebc242e 18f9e05726b349
Committed: https:/
Submitter: Jenkins
Branch: master
commit a8c57027dad1338 9e1aebc242e18f9 e05726b349
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 17 19:33:22 2015 +0000
Additional Fernet test coverage
This expands existing test coverage to include Fernet tokens, a few of
which expose a couple issues (see related bugs below).
Change-Id: I53374d41e4e545 3817b6635aee56d f625073d015
Related-Bug: 1459790
Related-Bug: 1475762