keystone rbacenforcer not populating policy dict with view args

Bug #1792047 reported by Morgan Fainberg on 2018-09-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Morgan Fainberg
Rocky
High
Morgan Fainberg
Stein
High
Morgan Fainberg

Bug Description

The old @protected decorator pushed the view arguments into the policy_dict for enforcement purposes[0]. This was missed in the new RBACEnforcer.

[0] https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152

Changed in keystone:
importance: Undecided → High
status: New → Triaged
assignee: nobody → Morgan Fainberg (mdrnstm)
Changed in keystone:
status: Triaged → In Progress
Jeremy Stanley (fungi) wrote :

Is this considered exploitable (class A vulnerability report)? Or should it be using the security bugtag to indicate a hardening opportunity instead of the Public Security bug type?

The concern is the opposite of exploitable. It can lock keystone's api too
closed. It is security in that sense, it should be a tag I guess.

On Wed, Sep 12, 2018, 08:41 Jeremy Stanley <email address hidden> wrote:

> Is this considered exploitable (class A vulnerability report)? Or should
> it be using the security bugtag to indicate a hardening opportunity
> instead of the Public Security bug type?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https://bugs.launchpad.net/bugs/1792047
>
> Title:
> keystone rbacenforcer not populating policy dict with view args
>
> Status in OpenStack Identity (keystone):
> In Progress
> Status in OpenStack Identity (keystone) rocky series:
> In Progress
> Status in OpenStack Identity (keystone) stein series:
> In Progress
>
> Bug description:
> The old @protected decorator pushed the view arguments into the
> policy_dict for enforcement purposes[0]. This was missed in the new
> RBACEnforcer.
>
> [0]
>
> https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions
>

Morgan Fainberg (mdrnstm) wrote :

he concern is the opposite of exploitable. It can lock keystone's api too closed. It is security in that sense, it should be a tag I guess.
Hide quoted

information type: Public Security → Public
tags: added: policy security

Reviewed: https://review.openstack.org/601875
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4975b79e8174587f7639347939cf679460d4896b
Submitter: Zuul
Branch: master

commit 4975b79e8174587f7639347939cf679460d4896b
Author: morgan fainberg <email address hidden>
Date: Tue Sep 11 16:03:54 2018 -0700

    Ensure view args is in policy dict

    The policy_dict (in enforcement) was not populating the view args
    in a similar manner to the old style @protected decorator. This
    change ensures that we mirror the old behavior (required for
    proper use of v3cloud policy).

    Change-Id: Ida9009a95a874be9cc60c3152d4e3225726562eb
    Partial-Bug: #1776504
    Closes-Bug: #1792047

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/601882
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0c71cdd23bd2a7e4f7ec1a5ecec91f3ed7457d00
Submitter: Zuul
Branch: stable/rocky

commit 0c71cdd23bd2a7e4f7ec1a5ecec91f3ed7457d00
Author: morgan fainberg <email address hidden>
Date: Tue Sep 11 16:03:54 2018 -0700

    Ensure view args is in policy dict

    The policy_dict (in enforcement) was not populating the view args
    in a similar manner to the old style @protected decorator. This
    change ensures that we mirror the old behavior (required for
    proper use of v3cloud policy).

    Conflicts:
        keystone/tests/unit/common/test_rbac_enforcer.py

    Change-Id: Ida9009a95a874be9cc60c3152d4e3225726562eb
    Partial-Bug: #1776504
    Closes-Bug: #1792047
    (cherry picked from commit 4975b79e8174587f7639347939cf679460d4896b)

This issue was fixed in the openstack/keystone 14.0.1 release.

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers