OpenStack Identity (keystone)

  1. Bug #999998
  2. Activity log

Activity log for bug #999998

Date Who What changed Old value New value Message
2012-05-16 00:28:58 Liem Nguyen bug added bug
2012-05-16 00:52:32 Liem Nguyen description In KSL (2012.1), Swift auth middleware uses a new format for expressing a container ACL for a user: <tenantName>:<userName>. In essex-3 and before, it was in the format of <tenantId>:<userName>. This breaks backward-compatibility for those Swift containers that already have the old format for the ACL pre-KSL. Also, tenantName is not unique; so, you can potentially have a security hole where access is granted to the wrong same-named tenant. I am not sure why we are using tenantName here, because it appears we use tenantId pretty much everywhere else to uniquely identify a tenant. At any rate, I raise this bug because of backward-incompatibility with essex-3. To maintain backward compatibility, we should at least support the old format as well. Thanks, Liem In KSL (2012.1), Swift auth middleware uses a new format for expressing a container ACL for a user: <tenantName>:<userName>. In essex-3 and before, it was in the format of <tenantId>:<userName>. This breaks backward-compatibility for those Swift containers that already have the old format for the ACL pre-KSL. To maintain backward compatibility, we should at least support the old format as well. Thanks, Liem
2012-05-16 00:57:47 Liem Nguyen description In KSL (2012.1), Swift auth middleware uses a new format for expressing a container ACL for a user: <tenantName>:<userName>. In essex-3 and before, it was in the format of <tenantId>:<userName>. This breaks backward-compatibility for those Swift containers that already have the old format for the ACL pre-KSL. To maintain backward compatibility, we should at least support the old format as well. Thanks, Liem In KSL (2012.1), Swift auth middleware uses a new format for expressing a container ACL for a user: <tenantName>:<userName>. In essex-3 and before, it was in the format of <tenantId>:<userName>. This breaks backward-compatibility for those Swift containers that already have the old format for the ACL pre-KSL. To maintain backward compatibility, we should at least support the old format as well. It also appears that we are using tenantId to identify the tenant everywhere else (Nova project, Swift account), so why not in Swift ACL as well for consistency? Thanks, Liem
2012-05-16 06:49:35 Lin Hua Cheng keystone: assignee Lin Hua Cheng (lin-hua-cheng)
2012-05-20 18:34:57 Joseph Heck keystone: status New Triaged
2012-05-20 18:35:00 Joseph Heck keystone: importance Undecided Medium
2012-05-22 05:47:03 OpenStack Infra keystone: status Triaged In Progress
2012-05-29 21:38:29 OpenStack Infra keystone: status In Progress Fix Committed
2012-07-04 08:23:01 Thierry Carrez keystone: status Fix Committed Fix Released
2012-07-04 08:23:01 Thierry Carrez keystone: milestone folsom-2
2012-09-27 15:03:38 Thierry Carrez keystone: milestone folsom-2 2012.2