OpenStack Identity (keystone)

Comment 29 for bug 1242597

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2013-11-21: Re: ec2tokens API doesn't handle trust-scoped tokens correctly

#29

0001-Fix-issues-handling-trust-tokens-via-ec2tokens-API-grizzly.patch Edit (2.9 KiB, text/plain)

Ok a couple bits of added information.

Grizzly is not affected by this bug to an issue with how impersonation is checked for. As seen here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py?h=stable/grizzly#n204
we check for the string "True" not the singleton True. This means that impersonation will never work within grizzly and mitigates this problem. This issue was fixed in Havana but never backported.

I have not finalized testing in this grizzly patchset, I will work on finalizing tests once I am back at home this evening. This fix can be validated by using Steven Hardy's script from #1. I have confirmed this re-enables Impersonation Trusts and fixes the security flaw.