OpenStack Identity (keystone)

  1. Bug #1872735
  2. Comment #0

Comment 0 for bug 1872735

Revision history for this message
kay (kay-diam) wrote : EC2 and/or credential endpoints are not protected from a scoped context

Being authorized within a limited scope context, i.e. trust / oauth / application credential with a limited role, e.g. "monitoring_viewer" or "viewer", it is still possible to create EC2 credentials. User can auth against Keystone using EC2 credentials and obtain all project roles
 of a trust/oauth/application_credential owner.

I prepared a tool to auth against keyston using ec2 credentials: https://github.com/kayrus/ec2auth

* auth against keystone using trust/oauth/application_credential credentials
* issue ec2 credentials: "openstack ec2 credentials create"
* authenticate against keystone using ec2 credentials: "ec2auth --access 7522162ced8f4e3eb9502168ef199584 --secret c558d9401a6943bbbb77a83ce910e5a5 --debug"

You'll see that returned token contains all owner roles.