trust redelegation allows trustee to create a trust (with impersonation set to true) from a redelegated trust (with impersonation set to false)

Bug #1539766 reported by Jorge Munoz on 2016-01-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Mikhail Nikolaenko

Bug Description

When creating a redelegated trust in keystone and the original trust did not allow impersonation, the redelegated trust should not be allowed to create a new trust with impersonation set to true.

Changed in keystone:
assignee: nobody → Jorge Munoz (jorge-munoz)
Changed in keystone:
milestone: none → mitaka-3
importance: Undecided → High

Fix proposed to branch: master
Review: https://review.openstack.org/276474

Changed in keystone:
status: New → In Progress
summary: - Keystone’s trust redelegation allows trustee user to create a trust with
- impersonation from redelegated trust that did not allow impersonation.
+ trust redelegation allows trustee to create a trust (with impersonation
+ set to true) from a redelegated trust (with impersonation set to false)
Steve Martinelli (stevemar) wrote :

I don't see a patch for this, bumping it to triaged

Changed in keystone:
status: In Progress → Triaged
assignee: Jorge Munoz (jorge-munoz) → nobody
importance: High → Medium
tags: added: trusts
Steve Martinelli (stevemar) wrote :

removing milestone target - i don't think this is necessary for mitaka, it was in liberty and kilo and no one noticed. we can fix it in newton

Changed in keystone:
milestone: mitaka-3 → none
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)

Fix proposed to branch: master
Review: https://review.openstack.org/330045

Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → Mikhail Nikolaenko (mnikolaenko)
status: Triaged → In Progress
Changed in keystone:
milestone: none → newton-2

Reviewed: https://review.openstack.org/330045
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=89d513595c0a2c828a36ec721ccfdfdd77e6bfb0
Submitter: Jenkins
Branch: master

commit 89d513595c0a2c828a36ec721ccfdfdd77e6bfb0
Author: Mikhail Nikolaenko <email address hidden>
Date: Wed Jun 15 15:58:26 2016 +0000

    Validate impersonation in trust redelegation

    Forbids trustee to create a trust (with impersonation set to true) from
    a redelegated trust (with impersonation set to false).

    Change-Id: I53a593a2056c8e8fa0292a806c3b4b48c16ad7fd
    Closes-Bug: #1539766

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 10.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers