keystone rbacenforcer not populating policy dict with view args

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/601882

Is this considered exploitable (class A vulnerability report)? Or should it be using the security bugtag to indicate a hardening opportunity instead of the Public Security bug type?

The concern is the opposite of exploitable. It can lock keystone's api too
closed. It is security in that sense, it should be a tag I guess.

On Wed, Sep 12, 2018, 08:41 Jeremy Stanley <email address hidden> wrote:

> Is this considered exploitable (class A vulnerability report)? Or should
> it be using the security bugtag to indicate a hardening opportunity
> instead of the Public Security bug type?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https://bugs.launchpad.net/bugs/1792047
>
> Title:
> keystone rbacenforcer not populating policy dict with view args
>
> Status in OpenStack Identity (keystone):
> In Progress
> Status in OpenStack Identity (keystone) rocky series:
> In Progress
> Status in OpenStack Identity (keystone) stein series:
> In Progress
>
> Bug description:
> The old @protected decorator pushed the view arguments into the
> policy_dict for enforcement purposes[0]. This was missed in the new
> RBACEnforcer.
>
> [0]
>
> https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions
>

he concern is the opposite of exploitable. It can lock keystone's api too closed. It is security in that sense, it should be a tag I guess.
Hide quoted

Reviewed: https://review.openstack.org/601875
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4975b79e8174587f7639347939cf679460d4896b
Submitter: Zuul
Branch: master

commit 4975b79e8174587f7639347939cf679460d4896b
Author: morgan fainberg <email address hidden>
Date: Tue Sep 11 16:03:54 2018 -0700

    Ensure view args is in policy dict

    The policy_dict (in enforcement) was not populating the view args
    in a similar manner to the old style @protected decorator. This
    change ensures that we mirror the old behavior (required for
    proper use of v3cloud policy).

    Change-Id: Ida9009a95a874be9cc60c3152d4e3225726562eb
    Partial-Bug: #1776504
    Closes-Bug: #1792047

Reviewed: https://review.openstack.org/601882
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0c71cdd23bd2a7e4f7ec1a5ecec91f3ed7457d00
Submitter: Zuul
Branch: stable/rocky

commit 0c71cdd23bd2a7e4f7ec1a5ecec91f3ed7457d00
Author: morgan fainberg <email address hidden>
Date: Tue Sep 11 16:03:54 2018 -0700

    Ensure view args is in policy dict

    The policy_dict (in enforcement) was not populating the view args
    in a similar manner to the old style @protected decorator. This
    change ensures that we mirror the old behavior (required for
    proper use of v3cloud policy).

    Conflicts:
        keystone/tests/unit/common/test_rbac_enforcer.py

    Change-Id: Ida9009a95a874be9cc60c3152d4e3225726562eb
    Partial-Bug: #1776504
    Closes-Bug: #1792047
    (cherry picked from commit 4975b79e8174587f7639347939cf679460d4896b)

This issue was fixed in the openstack/keystone 14.0.1 release.

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.