Comment 49 for bug 1872735
Revision history for this message
| Colleen Murphy (krinkle) wrote Re: EC2 and/or credential endpoints are not protected from a scoped context | #49 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I'm attaching a patch for rocky even though it has reached EM to help distros that need to support older releases. This patch must be applied on top of this public patch: https:/
To mitigate this bug for older branches, I recommend disabling the use of ec2 and s3 tokens as authentication mechanisms by removing ec2_extension, ec2_extension_v3, and s3_extension from the paste pipelines in keystone-paste.ini. Note that this will not work for rocky - even though keystone includes an example keystone-paste.ini file, it is not respected in the keystone service as this release was a transitional release away from the paste middleware implementation.
An alternative mitigation strategy is to disable the ability to create and modify credentials by restricting them with policies. For example, you can use the following rules in your policy.json:
"identity:
"identity:
"identity: