OpenStack Identity (keystone)

trust redelegation allows trustee to create a trust (with impersonation set to true) from a redelegated trust (with impersonation set to false)

Bug #1539766 reported by Jorge Munoz on 2016-01-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Mikhail Nikolaenko	OpenStack Identity (keystone) newton-2 "n2"

Bug Description

When creating a redelegated trust in keystone and the original trust did not allow impersonation, the redelegated trust should not be allowed to create a new trust with impersonation set to true.

Tags:

Jorge Munoz (jorge-munoz) on 2016-01-29

Changed in keystone:
assignee:	nobody → Jorge Munoz (jorge-munoz)

Steve Martinelli (stevemar) on 2016-01-30

Changed in keystone:
milestone:	none → mitaka-3
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-04: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/276474

Changed in keystone:
status:	New → In Progress

Steve Martinelli (stevemar) on 2016-02-07

summary:

- Keystone’s trust redelegation allows trustee user to create a trust with
- impersonation from redelegated trust that did not allow impersonation.
+ trust redelegation allows trustee to create a trust (with impersonation
+ set to true) from a redelegated trust (with impersonation set to false)

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-22:

I don't see a patch for this, bumping it to triaged

Changed in keystone:
status:	In Progress → Triaged
assignee:	Jorge Munoz (jorge-munoz) → nobody
importance:	High → Medium

Steve Martinelli (stevemar) on 2016-02-22

tags:

added: trusts

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-24:

removing milestone target - i don't think this is necessary for mitaka, it was in liberty and kilo and no one noticed. we can fix it in newton

Changed in keystone:
milestone:	mitaka-3 → none

Ron De Rose (ronald-de-rose) on 2016-03-15

Changed in keystone:
assignee:	nobody → Ron De Rose (ronald-de-rose)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-15:

Fix proposed to branch: master
Review: https://review.openstack.org/330045

Changed in keystone:
assignee:	Ron De Rose (ronald-de-rose) → Mikhail Nikolaenko (mnikolaenko)
status:	Triaged → In Progress

Steve Martinelli (stevemar) on 2016-06-20

Changed in keystone:
milestone:	none → newton-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-20: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/330045
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=89d513595c0a2c828a36ec721ccfdfdd77e6bfb0
Submitter: Jenkins
Branch: master

commit 89d513595c0a2c828a36ec721ccfdfdd77e6bfb0
Author: Mikhail Nikolaenko <email address hidden>
Date: Wed Jun 15 15:58:26 2016 +0000

Validate impersonation in trust redelegation

Forbids trustee to create a trust (with impersonation set to true) from
a redelegated trust (with impersonation set to false).

Change-Id: I53a593a2056c8e8fa0292a806c3b4b48c16ad7fd
Closes-Bug: #1539766

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-07-14: Fix included in openstack/keystone 10.0.0.0b2

This issue was fixed in the openstack/keystone 10.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.