Thank you very much for testing the Cinder code, finding the loophole, and providing such detailed instructions.
I incorrectly assumed that keystonemiddleware would not only check that the service token in the header is valid, but that it was actually that of a service role.
I have changed the code to actually check that between the roles from the service token (if a valid one is provided) is actually that of a service.
I'll look on Monday if the new approach also works on older releases (in case we need a different approach for the backports) and also for Glance using Cinder as a backend (in case glance is not sending the service token).
Hi Melanie,
Thank you very much for testing the Cinder code, finding the loophole, and providing such detailed instructions.
I incorrectly assumed that keystonemiddleware would not only check that the service token in the header is valid, but that it was actually that of a service role.
I have changed the code to actually check that between the roles from the service token (if a valid one is provided) is actually that of a service.
I'll look on Monday if the new approach also works on older releases (in case we need a different approach for the backports) and also for Glance using Cinder as a backend (in case glance is not sending the service token).
Cheers.