Able to request a V2 token for user and project in a non-default domain
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dolph Mathews | ||
Kilo |
Fix Released
|
High
|
Dolph Mathews | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Using the latest devstack, I am able to request a V2 token for user and project in a non-default domain. This problematic as non-default domains are not suppose to be visible to V2 APIs.
Steps to reproduce:
1) install devstack
2) run these commands
gyee@dev:~$ openstack --os-identity-
+------
| ID | Name | Enabled | Description |
+------
| 769ad7730e0c449
| default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. |
+------
gyee@dev:~$ openstack --os-identity-
+------
| ID | Name |
+------
| cf0aa0b2d5db4d6
+------
gyee@dev:~$ openstack --os-identity-
+------
| ID | Name |
+------
| 413abdbfef5544e
+------
gyee@dev:~$ curl -k -H 'Content-Type: application/json' -d '{"auth": {"passwordCrede
% Total % Received % Xferd Average Speed Time Time Time Current
100 3006 100 2854 100 152 22164 1180 --:--:-- --:--:-- --:--:-- 22472
{
"access": {
"metadata": {
]
},
{
],
},
{
],
},
{
],
},
{
],
},
{
],
},
{
],
},
{
],
}
],
"token": {
],
"id": "d68f365a9bb143
}
},
"user": {
"id": "cf0aa0b2d5db4d
"name": "bar",
{
},
{
}
],
}
}
}
description: | updated |
description: | updated |
Changed in keystone: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in keystone: | |
milestone: | liberty-3 → 8.0.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.