Attempting a RoleCheck when the credentials do not contain a roles list causes an exception
Bug #1529721 reported by
Timothy Symanczyk
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Timothy Symanczyk | ||
| oslo.policy |
Fix Released
|
Medium
|
Timothy Symanczyk | ||
Bug Description
How to reproduce this bug using keystone :
1) Retrieve an unscoped token for any valid account.
2) Using curl - invoke list_user_projects for the SAME user from step 1 using the token from step 1, and observe that this works as expected.
3) Alter the in-use policy file by inserting "role:service or " at the beginning of the rule for list_user_projects ...
< "identity:
---
> "identity:
.... Note that the addition of this 'or' clause should not be able to logically cause any additional denials.
4) Try the identical curl command from step 2 again, and observe that it now fails with 403 Forbidden.
| Changed in keystone: | |
| assignee: | nobody → Timothy Symanczyk (timothy-symanczyk) |
| Changed in keystone: | |
| status: | New → Invalid |
| Changed in oslo.policy: | |
| assignee: | nobody → Timothy Symanczyk (timothy-symanczyk) |
| summary: |
- Policy rules can be incorrectly applied with unscoped tokens + Attempting a RoleCheck when the credentials do not contain a roles list + causes an exception |
| description: | updated |
Revision history for this message
| Timothy Symanczyk (timothy-symanczyk) wrote | #1 |
| Changed in oslo.policy: | |
| status: | New → In Progress |
| Changed in oslo.policy: | |
| status: | In Progress → Fix Committed |
Revision history for this message
| Davanum Srinivas (DIMS) (dims-v) wrote Fix included in openstack/oslo.policy 1.3.0 | #2 |
| Changed in oslo.policy: | |
| status: | Fix Committed → Fix Released |
| importance: | Undecided → Medium |
To post a comment you must log in.
My proposed fix https:/
Includes a new unit test that will crash without the fix.