Comment 8 for bug 1677723
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: federated user gets wrong role | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Could this be caused by a special configuration, or is this happening for all federation setup?
It's surprising that the group_ids is empty, shouldn't it contains the _member_ id ?
Here is an early impact description draft:
Title: Incorrect role assignment with federated Keystone
Reporter: Boris Bobrov (Mirantis)
Products: Keystone
Affects: >=9.0.0 <=9.3.0, >=10.0.0 <=10.0.1, ==11.0.0
Description:
Boris Bobrov from Mirantis reported a vulnerability in Keystone Federation. An authenticated user may receive all the roles assigned with the user's project regardless of the federation mapping. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation are affected.