The concern is the opposite of exploitable. It can lock keystone's api too
closed. It is security in that sense, it should be a tag I guess.
On Wed, Sep 12, 2018, 08:41 Jeremy Stanley <email address hidden> wrote:
> Is this considered exploitable (class A vulnerability report)? Or should
> it be using the security bugtag to indicate a hardening opportunity
> instead of the Public Security bug type?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https://bugs.launchpad.net/bugs/1792047
>
> Title:
> keystone rbacenforcer not populating policy dict with view args
>
> Status in OpenStack Identity (keystone):
> In Progress
> Status in OpenStack Identity (keystone) rocky series:
> In Progress
> Status in OpenStack Identity (keystone) stein series:
> In Progress
>
> Bug description:
> The old @protected decorator pushed the view arguments into the
> policy_dict for enforcement purposes[0]. This was missed in the new
> RBACEnforcer.
>
> [0]
>
> https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions
>
The concern is the opposite of exploitable. It can lock keystone's api too
closed. It is security in that sense, it should be a tag I guess.
On Wed, Sep 12, 2018, 08:41 Jeremy Stanley <email address hidden> wrote:
> Is this considered exploitable (class A vulnerability report)? Or should /bugs.launchpad .net/bugs/ 1792047 /github. com/openstack/ keystone/ blob/294ca38554 bb229f66a772e7d ba35a5b08a36b20 /keystone/ common/ authorization. py#L152 /bugs.launchpad .net/keystone/ +bug/1792047/ +subscriptions
> it be using the security bugtag to indicate a hardening opportunity
> instead of the Public Security bug type?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https:/
>
> Title:
> keystone rbacenforcer not populating policy dict with view args
>
> Status in OpenStack Identity (keystone):
> In Progress
> Status in OpenStack Identity (keystone) rocky series:
> In Progress
> Status in OpenStack Identity (keystone) stein series:
> In Progress
>
> Bug description:
> The old @protected decorator pushed the view arguments into the
> policy_dict for enforcement purposes[0]. This was missed in the new
> RBACEnforcer.
>
> [0]
>
> https:/
>
> To manage notifications about this bug go to:
> https:/
>