OpenStack Security Advisory

  1. Bug #1242597
  2. Comment #47

Comment 47 for bug 1242597

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (stable/grizzly)

Reviewed: https://review.openstack.org/51973
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8fcc18c42bde2db34e4b29236dc2e971d40f146b
Submitter: Jenkins
Branch: stable/grizzly

commit 8fcc18c42bde2db34e4b29236dc2e971d40f146b
Author: Steven Hardy <email address hidden>
Date: Sun Oct 13 10:44:52 2013 +0100

    Fix v2 token user ref with trust impersonation=True

    The v2 token controller incorrectly checks for a string instead
    of a boolean, which results in the wrong user ID (trustee, when
    it should be the trustor) when impersonation=True. So fix the
    comparison and tests, adding a test which illustrates the issue.

    This patchset also closes the gap that allows EC2 credentials to
    be issued from trust-scoped tokens, allowing privilege escalation
    since EC2 tokens have no concept of trust-scoping/role
    restrictions in the Grizzly release.

    Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096
    Closes-Bug: #1239303
    Related-Bug: #1242597