The keystone server auth plugin methods could mismatch user_id in auth_context
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Morgan Fainberg | ||
Mitaka |
Invalid
|
Medium
|
Morgan Fainberg | ||
Newton |
Invalid
|
Medium
|
Morgan Fainberg | ||
Ocata |
Fix Released
|
Medium
|
Morgan Fainberg |
Bug Description
The keystone server blindly overwrites the auth_context.
While this is not exploitable externally without misconfiguration of the external plugin methods and supporting services, this is a bad state that could relatively easily result in someone ending up authenticated with the wrong user_id.
The simplest fix will be to have the for loop in the authentication controller (that iterates over the methods) to verify the user_id does not change between auth_methods executed.
This has been marked as public security for hardening purposes, likely a "Class D" https:/
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
assignee: | nobody → Morgan Fainberg (mdrnstm) |
summary: |
- The keystone server auth pluigin methods could mismatch user_id in + The keystone server auth plugin methods could mismatch user_id in auth_context |
Changed in keystone: | |
assignee: | Morgan Fainberg (mdrnstm) → Steve Martinelli (stevemar) |
This probably should also be a lower-prio backport if possible. not a huge risk, but good to ensure we aren't in a bad state if auth methods mutate the user-id between method validation.