Comment 12 for bug 1242597
Revision history for this message
| Adam Young (ayoung) wrote Re: ec2tokens API doesn't handle trust-scoped tokens correctly | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
TO explain the patch: the metadata on the frist token will havea trust_id on it. When creating the EC2 Keyspair, this needs to be carried over. That is done by earlier code. What was missing is the call that appends the trust_id on to the token created from the ec2 keypair. That is what is done at line 106. From this point forward, the trust_id will be maintained.
In the future, we probably want to change from "if we can't find the trust id, assume that there is none." To an approach of "we need to see an avid disavowal of a trust_id." Something like metadata.trust_id = None. We need to ensure that we carry over proof of non-delegation from mechanism to mechanism or we are going to continue to have these forms of errors.
The patch as written looks good.
Mattieu, does you patch take any security issues into account that this one does not? It seems to be a larger patch, but I can't tell if that means it is covering a wider array of issues.