2017-03-14 11:38:09 |
Maciej Jozefczyk |
bug |
|
|
added bug |
2017-03-14 11:38:58 |
ElComandante |
bug |
|
|
added subscriber ElComandante |
2017-03-14 13:12:12 |
Maciej Jozefczyk |
keystonemiddleware: assignee |
|
Maciej Jozefczyk (maciej.jozefczyk) |
|
2017-03-14 13:25:55 |
Maciej Jozefczyk |
description |
Description
===========
Assuming infrastructure with multiple regions and one centralized Keystone Identify Service Keystonemiddleware doesn't filter out requests with valid token taken from first region to services defined in second region.
It is possible to list glance public images, nova public flavors etc. with token from different region.
Steps to reproduce
=================
1. Deploy environment with one Keystone and minimum 2 regions.
Assign names: RegionOne, RegionTwo
2. Assign Openstack Stack services to those regions.
3. Create project and users in both regions.
4. Configure services to use keystonemiddleware.auth_token:filter_factory, example for Glance:
Add to glance-api-paste.ini:
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
5. Get token from RegionOne (openstack token issue).
6. Use this token with request to service in RegionTwo, for example request to Glance:
curl -g -i -X GET https://REGION_TWO_GLANCE_SERVICE:9292/v2/schemas/image -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: TOKEN_FROM_REGION_ONE"
Expected result
===============
Response from service defined in RegionTwo should be likely as follows:
HTTP/1.1 401 Unauthorized
Content-Length: 253
Content-Type: text/plain; charset=UTF-8
Www-Authenticate: Keystone uri='https://CENTRAL_KEYSTONE:5000/v3/'
Date: Tue, 14 Mar 2017 11:31:34 GMT
Actual result
=============
Requests endpoint gives answer with HTTP code 200.
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 4149
X-Openstack-Request-Id: req-c3483e4d-de31-4597-b12f-4f33d59cca44
Date: Tue, 14 Mar 2017 11:29:30 GMT
<JSON WITH GLANCE PUBLIC IMAGES FROM RegionTwo>
Environment
===========
Openstack Newton (it seems master is affected too).
Keystonemiddleware version 4.9.0 |
Description
===========
Assuming infrastructure with multiple regions and one centralized Keystone Identify Service Keystonemiddleware doesn't filter out requests with valid token taken from first region to services defined in second region.
It is possible to list glance public images, nova public flavors etc. with token from different region.
Steps to reproduce
=================
1. Deploy environment with one Keystone and minimum 2 regions.
Assign names: RegionOne, RegionTwo
2. Assign Openstack Stack services to those regions.
3. Create project and users in both regions.
4. Configure services to use keystonemiddleware.auth_token:filter_factory, example for Glance:
Add to glance-api-paste.ini:
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
5. Get token from RegionOne (openstack token issue).
6. Use this token with request to service in RegionTwo, for example request to Glance:
curl -g -i -X GET https://REGION_TWO_GLANCE_SERVICE:9292/v2/schemas/image -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: TOKEN_FROM_REGION_ONE"
Expected result
===============
Response from service defined in RegionTwo should be likely as follows:
HTTP/1.1 401 Unauthorized
Content-Length: 253
Content-Type: text/plain; charset=UTF-8
Www-Authenticate: Keystone uri='https://CENTRAL_KEYSTONE:5000/v3/'
Date: Tue, 14 Mar 2017 11:31:34 GMT
Actual result
=============
Requests endpoint gives answer with HTTP code 200.
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 4149
X-Openstack-Request-Id: req-c3483e4d-de31-4597-b12f-4f33d59cca44
Date: Tue, 14 Mar 2017 11:29:30 GMT
<JSON WITH GLANCE PUBLIC IMAGES FROM RegionTwo>
Environment
===========
Openstack Newton (it seems master is affected too).
Keystonemiddleware version 4.9.0 (master also affected) |
|
2017-03-15 10:39:33 |
Maciej Jozefczyk |
description |
Description
===========
Assuming infrastructure with multiple regions and one centralized Keystone Identify Service Keystonemiddleware doesn't filter out requests with valid token taken from first region to services defined in second region.
It is possible to list glance public images, nova public flavors etc. with token from different region.
Steps to reproduce
=================
1. Deploy environment with one Keystone and minimum 2 regions.
Assign names: RegionOne, RegionTwo
2. Assign Openstack Stack services to those regions.
3. Create project and users in both regions.
4. Configure services to use keystonemiddleware.auth_token:filter_factory, example for Glance:
Add to glance-api-paste.ini:
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
5. Get token from RegionOne (openstack token issue).
6. Use this token with request to service in RegionTwo, for example request to Glance:
curl -g -i -X GET https://REGION_TWO_GLANCE_SERVICE:9292/v2/schemas/image -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: TOKEN_FROM_REGION_ONE"
Expected result
===============
Response from service defined in RegionTwo should be likely as follows:
HTTP/1.1 401 Unauthorized
Content-Length: 253
Content-Type: text/plain; charset=UTF-8
Www-Authenticate: Keystone uri='https://CENTRAL_KEYSTONE:5000/v3/'
Date: Tue, 14 Mar 2017 11:31:34 GMT
Actual result
=============
Requests endpoint gives answer with HTTP code 200.
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 4149
X-Openstack-Request-Id: req-c3483e4d-de31-4597-b12f-4f33d59cca44
Date: Tue, 14 Mar 2017 11:29:30 GMT
<JSON WITH GLANCE PUBLIC IMAGES FROM RegionTwo>
Environment
===========
Openstack Newton (it seems master is affected too).
Keystonemiddleware version 4.9.0 (master also affected) |
Description
===========
Assuming infrastructure with multiple regions and one centralized Keystone Identify Service Keystonemiddleware doesn't filter out requests with valid token taken from first region to services defined in second region.
It is possible to list glance public images, nova public flavors etc. with token from different region.
Steps to reproduce
=================
1. Deploy environment with one Keystone and minimum 2 regions.
Assign names: RegionOne, RegionTwo
2. Assign Openstack Stack services to those regions.
3. Create project and users in both regions.
5. Configure endpoint filtering for Regions (user from RegionOne shouldn't find endpoints from RegionTwo).
4. Configure services to use keystonemiddleware.auth_token:filter_factory, example for Glance:
Add to glance-api-paste.ini:
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
5. Get token from RegionOne (openstack token issue).
6. Use this token with request to service in RegionTwo, for example request to Glance:
curl -g -i -X GET https://REGION_TWO_GLANCE_SERVICE:9292/v2/schemas/image -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: TOKEN_FROM_REGION_ONE"
Expected result
===============
Response from service defined in RegionTwo should be likely as follows:
HTTP/1.1 401 Unauthorized
Content-Length: 253
Content-Type: text/plain; charset=UTF-8
Www-Authenticate: Keystone uri='https://CENTRAL_KEYSTONE:5000/v3/'
Date: Tue, 14 Mar 2017 11:31:34 GMT
Actual result
=============
Requests endpoint gives answer with HTTP code 200.
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 4149
X-Openstack-Request-Id: req-c3483e4d-de31-4597-b12f-4f33d59cca44
Date: Tue, 14 Mar 2017 11:29:30 GMT
<JSON WITH GLANCE PUBLIC IMAGES FROM RegionTwo>
Environment
===========
Openstack Newton (it seems master is affected too).
Keystonemiddleware version 4.9.0 (master also affected) |
|
2017-03-15 10:54:21 |
Maciej Jozefczyk |
description |
Description
===========
Assuming infrastructure with multiple regions and one centralized Keystone Identify Service Keystonemiddleware doesn't filter out requests with valid token taken from first region to services defined in second region.
It is possible to list glance public images, nova public flavors etc. with token from different region.
Steps to reproduce
=================
1. Deploy environment with one Keystone and minimum 2 regions.
Assign names: RegionOne, RegionTwo
2. Assign Openstack Stack services to those regions.
3. Create project and users in both regions.
5. Configure endpoint filtering for Regions (user from RegionOne shouldn't find endpoints from RegionTwo).
4. Configure services to use keystonemiddleware.auth_token:filter_factory, example for Glance:
Add to glance-api-paste.ini:
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
5. Get token from RegionOne (openstack token issue).
6. Use this token with request to service in RegionTwo, for example request to Glance:
curl -g -i -X GET https://REGION_TWO_GLANCE_SERVICE:9292/v2/schemas/image -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: TOKEN_FROM_REGION_ONE"
Expected result
===============
Response from service defined in RegionTwo should be likely as follows:
HTTP/1.1 401 Unauthorized
Content-Length: 253
Content-Type: text/plain; charset=UTF-8
Www-Authenticate: Keystone uri='https://CENTRAL_KEYSTONE:5000/v3/'
Date: Tue, 14 Mar 2017 11:31:34 GMT
Actual result
=============
Requests endpoint gives answer with HTTP code 200.
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 4149
X-Openstack-Request-Id: req-c3483e4d-de31-4597-b12f-4f33d59cca44
Date: Tue, 14 Mar 2017 11:29:30 GMT
<JSON WITH GLANCE PUBLIC IMAGES FROM RegionTwo>
Environment
===========
Openstack Newton (it seems master is affected too).
Keystonemiddleware version 4.9.0 (master also affected) |
Description
===========
Assuming infrastructure with multiple regions and one centralized Keystone Identify Service Keystonemiddleware doesn't filter out requests with valid token taken from first region to services defined in second region.
It is possible to list glance public images, nova public flavors etc. with token from different region even if Keystone endpoint catalog filtering is set.
Steps to reproduce
=================
1. Deploy environment with one Keystone and minimum 2 regions.
Assign names: RegionOne, RegionTwo
2. Assign Openstack Stack services to those regions.
3. Create project and users in both regions.
5. Configure endpoint filtering for Regions (user from RegionOne shouldn't get endpoints from service catalog of RegionTwo).
4. Configure services to use keystonemiddleware.auth_token:filter_factory, example for Glance:
Add to glance-api-paste.ini:
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
5. Get token from RegionOne (openstack token issue).
6. Use this token with request to service in RegionTwo, for example request to Glance:
curl -g -i -X GET https://REGION_TWO_GLANCE_SERVICE:9292/v2/schemas/image -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: TOKEN_FROM_REGION_ONE"
Expected result
===============
Response from service defined in RegionTwo should be likely as follows:
HTTP/1.1 401 Unauthorized
Content-Length: 253
Content-Type: text/plain; charset=UTF-8
Www-Authenticate: Keystone uri='https://CENTRAL_KEYSTONE:5000/v3/'
Date: Tue, 14 Mar 2017 11:31:34 GMT
Actual result
=============
Requests endpoint gives answer with HTTP code 200.
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 4149
X-Openstack-Request-Id: req-c3483e4d-de31-4597-b12f-4f33d59cca44
Date: Tue, 14 Mar 2017 11:29:30 GMT
<JSON WITH GLANCE PUBLIC IMAGES FROM RegionTwo>
Environment
===========
Openstack Newton (it seems master is affected too).
Keystonemiddleware version 4.9.0 (master also affected) |
|
2017-03-17 13:38:24 |
Arnaud Morin |
bug |
|
|
added subscriber Arnaud Morin |
2017-08-02 20:52:09 |
Lance Bragstad |
keystonemiddleware: assignee |
Maciej Jozefczyk (maciej.jozefczyk) |
|
|
2018-10-24 18:17:52 |
Morgan Fainberg |
keystonemiddleware: status |
New |
Opinion |
|