OpenStack Identity (keystone)

  1. Series rocky
  2. Bug #1792047
  3. Comment #4

Comment 4 for bug 1792047

Revision history for this message
Morgan Fainberg (mdrnstm) wrote : Re: [Bug 1792047] Re: keystone rbacenforcer not populating policy dict with view args

The concern is the opposite of exploitable. It can lock keystone's api too
closed. It is security in that sense, it should be a tag I guess.

On Wed, Sep 12, 2018, 08:41 Jeremy Stanley <email address hidden> wrote:

> Is this considered exploitable (class A vulnerability report)? Or should
> it be using the security bugtag to indicate a hardening opportunity
> instead of the Public Security bug type?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https://bugs.launchpad.net/bugs/1792047
>
> Title:
> keystone rbacenforcer not populating policy dict with view args
>
> Status in OpenStack Identity (keystone):
> In Progress
> Status in OpenStack Identity (keystone) rocky series:
> In Progress
> Status in OpenStack Identity (keystone) stein series:
> In Progress
>
> Bug description:
> The old @protected decorator pushed the view arguments into the
> policy_dict for enforcement purposes[0]. This was missed in the new
> RBACEnforcer.
>
> [0]
>
> https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions
>