OpenStack Identity (keystone)

  1. Bug #1872733
  2. Comment #9

Comment 9 for bug 1872733

Revision history for this message
kay (kay-diam) wrote : Re: Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID

Hi Colleen. Could you also add a protection and unit test for create action? It is not so serious, but would be great to have.

As I mentioned in original ticket it is possible to create EC2 credentials with any existing projectID, even if it is a domainID:

curl -X POST https://keystone/v3/credentials -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{
  "credential": {
    "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}",
    "id": "3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f",
    "project_id": "_any_project_id_",
    "type": "ec2",
    "user_id": "_my_user_id_"
  }
}'

This credential won't be useful, but it would be great to have this protection.