keystonemiddleware

access rules path checker should distinguish UUID-like srings

Bug #2020821 reported by Pavlo Shchelokovskyy on 2023-05-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystonemiddleware	Confirmed	Medium	Unassigned

Bug Description

Please consider it as a feature request.

in the access rules path definition, {tag} or * means any string w/o slashes - which complicates restricting the access in some circumstances due to how some OpenStack APIs are structured.

Example:
I want to create app creds that will only allow GET on a any specific server by ID - GET /servers/{uuid}, and nothing more.
However, in Nova there's this API call GET /servers/detail - which is a list of all servers with details, and it also matches the /servers/{uuid} path in access rules.

There could be more examples like this across all OpenStack APIs.

I would envision that there should be a special tag like literally {uuid} that would only match uuid-like substrings and not anything else, somewhere around these parts https://opendev.org/openstack/keystonemiddleware/src/branch/stable/2023.1/keystonemiddleware/auth_token/__init__.py#L280-L297

David Wilde (dave-wilde) on 2023-05-30

Changed in keystonemiddleware:
status:	New → Confirmed
importance:	Undecided → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.