OpenStack Identity (keystone)

  1. Bug #1779205
  2. Activity log

Activity log for bug #1779205

Date Who What changed Old value New value Message
2018-06-28 20:19:03 Lance Bragstad bug added bug
2018-06-28 20:19:35 Lance Bragstad bug added subscriber Kristi Nikolla
2018-06-28 20:23:02 Lance Bragstad description The /v3/OS-FEDERATION/projects API was developed to let federated users discover what projects they have access to. This mirrored a similar API in keystone, v3/auth/projects. Both were intended to behave the same way, by only returning what projects a user has a role assignment on. Eventually the /v3/OS-FEDERATION/projects API was deprecated after the /v3/auth/projects API was able to support federated tokens. The /v3/OS-FEDERATION/projects API appears to be broken because it returns all projects in the deployment, not just the ones a user has access to. The following recreates the issue: lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml clouds: devstack: auth: auth_url: http://192.168.1.5/identity password: nomoresecret project_domain_id: default project_name: demo user_domain_id: default username: demo identity_api_version: '3' region_name: RegionOne volume_api_version: '2' devstack-admin: auth: auth_url: http://192.168.1.5/identity password: nomoresecret project_domain_id: default project_name: admin user_domain_id: default username: admin identity_api_version: '3' region_name: RegionOne volume_api_version: '2' devstack-alt: auth: auth_url: http://192.168.1.5/identity password: nomoresecret project_domain_id: default project_name: alt_demo user_domain_id: default username: alt_demo identity_api_version: '3' region_name: RegionOne volume_api_version: '2' lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin +-------------+------------------+-------------------+----------------------------+---------+-----------+ | Role | User | Group | Project | Domain | Inherited | +-------------+------------------+-------------------+----------------------------+---------+-----------+ | member | | nonadmins@Default | demo@Default | | False | | anotherrole | | nonadmins@Default | demo@Default | | False | | member | | nonadmins@Default | alt_demo@Default | | False | | anotherrole | | nonadmins@Default | alt_demo@Default | | False | | admin | | admins@Default | admin@Default | | False | | admin | admin@Default | | demo@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | admin@Default | | alt_demo@Default | | False | | admin | admin@Default | | | Default | False | | member | demo@Default | | demo@Default | | False | | anotherrole | demo@Default | | demo@Default | | False | | member | demo@Default | | invisible_to_admin@Default | | False | | member | alt_demo@Default | | alt_demo@Default | | False | | anotherrole | alt_demo@Default | | alt_demo@Default | | False | | admin | admin@Default | | | | False | +-------------+------------------+-------------------+----------------------------+---------+-----------+ lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-28T21:03:47+0000 | | id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w | | project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 | | user_id | cef2773684114d55a6399e928ecc78e4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE- uuESisyzj36w' lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906 { "links": { "next": null, "previous": null, "self": "http://192.168.1.5/identity/v3/auth/projects" }, "projects": [ { "description": "", "domain_id": "default", "enabled": true, "id": "44053df0d12f4ba0aa4c28c3364aa1a1", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1" }, "name": "demo", "parent_id": "default", "tags": [] }, { "description": "", "domain_id": "default", "enabled": true, "id": "8c92de6ab3884f94b508ce2f2dd62c4d", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d" }, "name": "invisible_to_admin", "parent_id": "default", "tags": [] } ] } lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638 { "links": { "next": null, "previous": null, "self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects" }, "projects": [ { "description": "", "domain_id": "default", "enabled": true, "id": "44053df0d12f4ba0aa4c28c3364aa1a1", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1" }, "name": "demo", "parent_id": "default", "tags": [] }, { "description": "Bootstrap project for initializing the cloud.", "domain_id": "default", "enabled": true, "id": "681b94352ed146b5ac37c152653e90d2", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2" }, "name": "admin", "parent_id": "default", "tags": [] }, { "description": "", "domain_id": "default", "enabled": true, "id": "9a742b4684dc4c8a90dc4896f9ab178e", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e" }, "name": "alt_demo", "parent_id": "default", "tags": [] }, { "description": "", "domain_id": "default", "enabled": true, "id": "8c92de6ab3884f94b508ce2f2dd62c4d", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d" }, "name": "invisible_to_admin", "parent_id": "default", "tags": [] } ] } Notice that I used the devstack cloud config, which specifies the demo user who only have the `member` and `anotherrole` assigned on two projects. In no way should they have access to view all projects in the deployment. The /v3/OS-FEDERATION/projects API was developed to let federated users discover what projects they have access to. This mirrored a similar API in keystone, v3/auth/projects. Both were intended to behave the same way, by only returning what projects a user has a role assignment on. Eventually the /v3/OS-FEDERATION/projects API was deprecated after the /v3/auth/projects API was able to support federated tokens. The /v3/OS-FEDERATION/projects API appears to be broken because it returns all projects in the deployment, not just the ones a user has access to. The following recreates the issue: lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml clouds:   devstack:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: demo       user_domain_id: default       username: demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-admin:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: admin       user_domain_id: default       username: admin     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-alt:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: alt_demo       user_domain_id: default       username: alt_demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2' lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin +-------------+------------------+-------------------+----------------------------+---------+-----------+ | Role | User | Group | Project | Domain | Inherited | +-------------+------------------+-------------------+----------------------------+---------+-----------+ | member | | nonadmins@Default | demo@Default | | False | | anotherrole | | nonadmins@Default | demo@Default | | False | | member | | nonadmins@Default | alt_demo@Default | | False | | anotherrole | | nonadmins@Default | alt_demo@Default | | False | | admin | | admins@Default | admin@Default | | False | | admin | admin@Default | | demo@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | admin@Default | | alt_demo@Default | | False | | admin | admin@Default | | | Default | False | | member | demo@Default | | demo@Default | | False | | anotherrole | demo@Default | | demo@Default | | False | | member | demo@Default | | invisible_to_admin@Default | | False | | member | alt_demo@Default | | alt_demo@Default | | False | | anotherrole | alt_demo@Default | | alt_demo@Default | | False | | admin | admin@Default | | | | False | +-------------+------------------+-------------------+----------------------------+---------+-----------+ lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-28T21:03:47+0000 | | id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w | | project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 | | user_id | cef2773684114d55a6399e928ecc78e4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE- uuESisyzj36w' lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/auth/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "Bootstrap project for initializing the cloud.",             "domain_id": "default",             "enabled": true,             "id": "681b94352ed146b5ac37c152653e90d2",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2"             },             "name": "admin",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "9a742b4684dc4c8a90dc4896f9ab178e",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e"             },             "name": "alt_demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } Notice that I used the devstack cloud config, which specifies the demo user who only has the `member` and `anotherrole` assigned on two projects (demo and invisible_to_admin). In no way should they have access to view all projects in the deployment.
2018-06-28 20:23:09 Lance Bragstad keystone: status New Triaged
2018-06-28 20:23:12 Lance Bragstad keystone: importance Undecided Critical
2018-06-28 22:53:34 Morgan Fainberg description The /v3/OS-FEDERATION/projects API was developed to let federated users discover what projects they have access to. This mirrored a similar API in keystone, v3/auth/projects. Both were intended to behave the same way, by only returning what projects a user has a role assignment on. Eventually the /v3/OS-FEDERATION/projects API was deprecated after the /v3/auth/projects API was able to support federated tokens. The /v3/OS-FEDERATION/projects API appears to be broken because it returns all projects in the deployment, not just the ones a user has access to. The following recreates the issue: lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml clouds:   devstack:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: demo       user_domain_id: default       username: demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-admin:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: admin       user_domain_id: default       username: admin     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-alt:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: alt_demo       user_domain_id: default       username: alt_demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2' lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin +-------------+------------------+-------------------+----------------------------+---------+-----------+ | Role | User | Group | Project | Domain | Inherited | +-------------+------------------+-------------------+----------------------------+---------+-----------+ | member | | nonadmins@Default | demo@Default | | False | | anotherrole | | nonadmins@Default | demo@Default | | False | | member | | nonadmins@Default | alt_demo@Default | | False | | anotherrole | | nonadmins@Default | alt_demo@Default | | False | | admin | | admins@Default | admin@Default | | False | | admin | admin@Default | | demo@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | admin@Default | | alt_demo@Default | | False | | admin | admin@Default | | | Default | False | | member | demo@Default | | demo@Default | | False | | anotherrole | demo@Default | | demo@Default | | False | | member | demo@Default | | invisible_to_admin@Default | | False | | member | alt_demo@Default | | alt_demo@Default | | False | | anotherrole | alt_demo@Default | | alt_demo@Default | | False | | admin | admin@Default | | | | False | +-------------+------------------+-------------------+----------------------------+---------+-----------+ lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-28T21:03:47+0000 | | id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w | | project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 | | user_id | cef2773684114d55a6399e928ecc78e4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE- uuESisyzj36w' lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/auth/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "Bootstrap project for initializing the cloud.",             "domain_id": "default",             "enabled": true,             "id": "681b94352ed146b5ac37c152653e90d2",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2"             },             "name": "admin",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "9a742b4684dc4c8a90dc4896f9ab178e",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e"             },             "name": "alt_demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } Notice that I used the devstack cloud config, which specifies the demo user who only has the `member` and `anotherrole` assigned on two projects (demo and invisible_to_admin). In no way should they have access to view all projects in the deployment. This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. The /v3/OS-FEDERATION/projects API was developed to let federated users discover what projects they have access to. This mirrored a similar API in keystone, v3/auth/projects. Both were intended to behave the same way, by only returning what projects a user has a role assignment on. Eventually the /v3/OS-FEDERATION/projects API was deprecated after the /v3/auth/projects API was able to support federated tokens. The /v3/OS-FEDERATION/projects API appears to be broken because it returns all projects in the deployment, not just the ones a user has access to. The following recreates the issue: lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml clouds:   devstack:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: demo       user_domain_id: default       username: demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-admin:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: admin       user_domain_id: default       username: admin     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-alt:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: alt_demo       user_domain_id: default       username: alt_demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2' lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin +-------------+------------------+-------------------+----------------------------+---------+-----------+ | Role | User | Group | Project | Domain | Inherited | +-------------+------------------+-------------------+----------------------------+---------+-----------+ | member | | nonadmins@Default | demo@Default | | False | | anotherrole | | nonadmins@Default | demo@Default | | False | | member | | nonadmins@Default | alt_demo@Default | | False | | anotherrole | | nonadmins@Default | alt_demo@Default | | False | | admin | | admins@Default | admin@Default | | False | | admin | admin@Default | | demo@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | admin@Default | | alt_demo@Default | | False | | admin | admin@Default | | | Default | False | | member | demo@Default | | demo@Default | | False | | anotherrole | demo@Default | | demo@Default | | False | | member | demo@Default | | invisible_to_admin@Default | | False | | member | alt_demo@Default | | alt_demo@Default | | False | | anotherrole | alt_demo@Default | | alt_demo@Default | | False | | admin | admin@Default | | | | False | +-------------+------------------+-------------------+----------------------------+---------+-----------+ lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-28T21:03:47+0000 | | id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w | | project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 | | user_id | cef2773684114d55a6399e928ecc78e4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE- uuESisyzj36w' lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/auth/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "Bootstrap project for initializing the cloud.",             "domain_id": "default",             "enabled": true,             "id": "681b94352ed146b5ac37c152653e90d2",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2"             },             "name": "admin",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "9a742b4684dc4c8a90dc4896f9ab178e",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e"             },             "name": "alt_demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } Notice that I used the devstack cloud config, which specifies the demo user who only has the `member` and `anotherrole` assigned on two projects (demo and invisible_to_admin). In no way should they have access to view all projects in the deployment.
2018-06-28 22:53:47 Morgan Fainberg bug added subscriber Keystone Core security contacts
2018-06-28 22:54:58 Morgan Fainberg bug task added ossa
2018-06-28 22:55:04 Morgan Fainberg ossa: status New Incomplete
2018-06-29 03:18:01 Tristan Cacqueray ossa: status Incomplete Confirmed
2018-06-29 15:14:46 Morgan Fainberg keystone: milestone rocky-3
2018-06-29 16:43:47 Matthew Thode bug added subscriber Matthew Thode
2018-06-29 19:38:40 Lance Bragstad attachment added 0001-Reduce-duplication-in-federated-auth-APIs.patch https://bugs.launchpad.net/keystone/+bug/1779205/+attachment/5157892/+files/0001-Reduce-duplication-in-federated-auth-APIs.patch
2018-06-29 19:47:29 Lance Bragstad removed subscriber Kristi Nikolla
2018-07-06 14:47:10 Kristi Nikolla attachment added 0001-Reduce-duplication-in-federated-auth-APIs.patch https://bugs.launchpad.net/keystone/+bug/1779205/+attachment/5160431/+files/0001-Reduce-duplication-in-federated-auth-APIs.patch
2018-07-10 06:03:04 Matthew Thode ossa: status Confirmed Triaged
2018-07-16 21:18:51 Lance Bragstad attachment added 0001-Reduce-duplication-in-federated-auth-APIs.patch https://bugs.launchpad.net/keystone/+bug/1779205/+attachment/5164290/+files/0001-Reduce-duplication-in-federated-auth-APIs.patch
2018-07-16 21:21:52 Lance Bragstad attachment added 0001-Reduce-duplication-in-federated-auth-APIs.patch https://bugs.launchpad.net/keystone/+bug/1779205/+attachment/5164291/+files/0001-Reduce-duplication-in-federated-auth-APIs.patch
2018-07-16 21:23:47 Lance Bragstad attachment added 0001-Reduce-duplication-in-federated-auth-APIs.patch https://bugs.launchpad.net/keystone/+bug/1779205/+attachment/5164292/+files/0001-Reduce-duplication-in-federated-auth-APIs.patch
2018-07-16 21:32:25 Lance Bragstad attachment added 0001-Reduce-duplication-in-federated-auth-APIs-ocata.patch https://bugs.launchpad.net/keystone/+bug/1779205/+attachment/5164301/+files/0001-Reduce-duplication-in-federated-auth-APIs-ocata.patch
2018-07-20 07:28:38 Matthew Thode cve linked 2018-14432
2018-07-20 16:32:48 Matthew Thode ossa: status Triaged Fix Committed
2018-07-20 16:33:09 Matthew Thode ossa: assignee Matthew Thode (prometheanfire)
2018-07-20 16:43:15 Matthew Thode bug added subscriber Mohammed Naser
2018-07-23 01:32:11 Tony Breeds bug added subscriber James Hebden
2018-07-25 15:05:32 Matthew Thode information type Private Security Public Security
2018-07-25 15:20:44 OpenStack Infra keystone: status Triaged In Progress
2018-07-25 15:20:44 OpenStack Infra keystone: assignee Lance Bragstad (lbragstad)
2018-07-25 16:00:50 Matthew Thode summary GET /v3/OS-FEDERATION/projects leaks project information [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE--2018-14432)
2018-07-25 22:15:57 Matthew Thode ossa: status Fix Committed Fix Released
2018-07-25 22:16:21 Matthew Thode ossa: status Fix Released Fix Committed
2018-07-26 01:31:42 Jeremy Stanley description This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. The /v3/OS-FEDERATION/projects API was developed to let federated users discover what projects they have access to. This mirrored a similar API in keystone, v3/auth/projects. Both were intended to behave the same way, by only returning what projects a user has a role assignment on. Eventually the /v3/OS-FEDERATION/projects API was deprecated after the /v3/auth/projects API was able to support federated tokens. The /v3/OS-FEDERATION/projects API appears to be broken because it returns all projects in the deployment, not just the ones a user has access to. The following recreates the issue: lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml clouds:   devstack:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: demo       user_domain_id: default       username: demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-admin:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: admin       user_domain_id: default       username: admin     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-alt:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: alt_demo       user_domain_id: default       username: alt_demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2' lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin +-------------+------------------+-------------------+----------------------------+---------+-----------+ | Role | User | Group | Project | Domain | Inherited | +-------------+------------------+-------------------+----------------------------+---------+-----------+ | member | | nonadmins@Default | demo@Default | | False | | anotherrole | | nonadmins@Default | demo@Default | | False | | member | | nonadmins@Default | alt_demo@Default | | False | | anotherrole | | nonadmins@Default | alt_demo@Default | | False | | admin | | admins@Default | admin@Default | | False | | admin | admin@Default | | demo@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | admin@Default | | alt_demo@Default | | False | | admin | admin@Default | | | Default | False | | member | demo@Default | | demo@Default | | False | | anotherrole | demo@Default | | demo@Default | | False | | member | demo@Default | | invisible_to_admin@Default | | False | | member | alt_demo@Default | | alt_demo@Default | | False | | anotherrole | alt_demo@Default | | alt_demo@Default | | False | | admin | admin@Default | | | | False | +-------------+------------------+-------------------+----------------------------+---------+-----------+ lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-28T21:03:47+0000 | | id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w | | project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 | | user_id | cef2773684114d55a6399e928ecc78e4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE- uuESisyzj36w' lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/auth/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "Bootstrap project for initializing the cloud.",             "domain_id": "default",             "enabled": true,             "id": "681b94352ed146b5ac37c152653e90d2",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2"             },             "name": "admin",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "9a742b4684dc4c8a90dc4896f9ab178e",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e"             },             "name": "alt_demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } Notice that I used the devstack cloud config, which specifies the demo user who only has the `member` and `anotherrole` assigned on two projects (demo and invisible_to_admin). In no way should they have access to view all projects in the deployment. The /v3/OS-FEDERATION/projects API was developed to let federated users discover what projects they have access to. This mirrored a similar API in keystone, v3/auth/projects. Both were intended to behave the same way, by only returning what projects a user has a role assignment on. Eventually the /v3/OS-FEDERATION/projects API was deprecated after the /v3/auth/projects API was able to support federated tokens. The /v3/OS-FEDERATION/projects API appears to be broken because it returns all projects in the deployment, not just the ones a user has access to. The following recreates the issue: lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml clouds:   devstack:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: demo       user_domain_id: default       username: demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-admin:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: admin       user_domain_id: default       username: admin     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2'   devstack-alt:     auth:       auth_url: http://192.168.1.5/identity       password: nomoresecret       project_domain_id: default       project_name: alt_demo       user_domain_id: default       username: alt_demo     identity_api_version: '3'     region_name: RegionOne     volume_api_version: '2' lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin +-------------+------------------+-------------------+----------------------------+---------+-----------+ | Role | User | Group | Project | Domain | Inherited | +-------------+------------------+-------------------+----------------------------+---------+-----------+ | member | | nonadmins@Default | demo@Default | | False | | anotherrole | | nonadmins@Default | demo@Default | | False | | member | | nonadmins@Default | alt_demo@Default | | False | | anotherrole | | nonadmins@Default | alt_demo@Default | | False | | admin | | admins@Default | admin@Default | | False | | admin | admin@Default | | demo@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | admin@Default | | alt_demo@Default | | False | | admin | admin@Default | | | Default | False | | member | demo@Default | | demo@Default | | False | | anotherrole | demo@Default | | demo@Default | | False | | member | demo@Default | | invisible_to_admin@Default | | False | | member | alt_demo@Default | | alt_demo@Default | | False | | anotherrole | alt_demo@Default | | alt_demo@Default | | False | | admin | admin@Default | | | | False | +-------------+------------------+-------------------+----------------------------+---------+-----------+ lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-28T21:03:47+0000 | | id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w | | project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 | | user_id | cef2773684114d55a6399e928ecc78e4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE- uuESisyzj36w' lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/auth/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool   % Total % Received % Xferd Average Speed Time Time Time Current                                  Dload Upload Total Spent Left Speed 100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638 {     "links": {         "next": null,         "previous": null,         "self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects"     },     "projects": [         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "44053df0d12f4ba0aa4c28c3364aa1a1",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"             },             "name": "demo",             "parent_id": "default",             "tags": []         },         {             "description": "Bootstrap project for initializing the cloud.",             "domain_id": "default",             "enabled": true,             "id": "681b94352ed146b5ac37c152653e90d2",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2"             },             "name": "admin",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "9a742b4684dc4c8a90dc4896f9ab178e",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e"             },             "name": "alt_demo",             "parent_id": "default",             "tags": []         },         {             "description": "",             "domain_id": "default",             "enabled": true,             "id": "8c92de6ab3884f94b508ce2f2dd62c4d",             "is_domain": false,             "links": {                 "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"             },             "name": "invisible_to_admin",             "parent_id": "default",             "tags": []         }     ] } Notice that I used the devstack cloud config, which specifies the demo user who only has the `member` and `anotherrole` assigned on two projects (demo and invisible_to_admin). In no way should they have access to view all projects in the deployment.
2018-07-26 01:32:15 Jeremy Stanley summary [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE--2018-14432) [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)
2018-07-26 02:04:41 OpenStack Infra tags in-stable-queens
2018-07-26 05:23:01 OpenStack Infra tags in-stable-queens in-stable-ocata in-stable-queens
2018-07-26 10:12:08 OpenStack Infra keystone: status In Progress Fix Released
2018-07-26 12:59:02 OpenStack Infra tags in-stable-ocata in-stable-queens in-stable-ocata in-stable-pike in-stable-queens
2018-07-26 13:33:59 Jeremy Stanley ossa: status Fix Committed Fix Released
2018-07-27 15:23:30 Lance Bragstad nominated for series keystone/ocata
2018-07-27 15:23:30 Lance Bragstad bug task added keystone/ocata
2018-07-27 15:23:30 Lance Bragstad nominated for series keystone/queens
2018-07-27 15:23:30 Lance Bragstad bug task added keystone/queens
2018-07-27 15:23:30 Lance Bragstad nominated for series keystone/rocky
2018-07-27 15:23:30 Lance Bragstad bug task added keystone/rocky
2018-07-27 15:23:30 Lance Bragstad nominated for series keystone/pike
2018-07-27 15:23:30 Lance Bragstad bug task added keystone/pike
2018-07-27 15:23:40 Lance Bragstad keystone/ocata: status New Fix Released
2018-07-27 15:23:48 Lance Bragstad keystone/pike: importance Undecided Critical
2018-07-27 15:24:02 Lance Bragstad keystone/queens: status New Fix Released
2018-07-27 15:24:09 Lance Bragstad keystone/ocata: assignee Lance Bragstad (lbragstad)
2018-07-27 15:24:13 Lance Bragstad keystone/queens: assignee Lance Bragstad (lbragstad)
2018-07-27 15:24:16 Lance Bragstad keystone/pike: status New Fix Released
2018-07-27 15:24:19 Lance Bragstad keystone/ocata: importance Undecided Critical
2018-07-27 15:24:21 Lance Bragstad keystone/queens: importance Undecided Critical
2018-07-27 15:24:26 Lance Bragstad keystone/pike: assignee Lance Bragstad (lbragstad)