2012-05-31 10:10:36 |
Jason Xu |
bug |
|
|
added bug |
2012-05-31 10:10:36 |
Jason Xu |
attachment added |
|
keystone_tenant_api_bug.patch https://bugs.launchpad.net/bugs/1006815/+attachment/3169957/+files/keystone_tenant_api_bug.patch |
|
2012-06-02 20:56:07 |
Dolph Mathews |
keystone: importance |
Undecided |
Critical |
|
2012-06-02 20:56:15 |
Dolph Mathews |
keystone: status |
New |
Triaged |
|
2012-06-02 20:56:15 |
Dolph Mathews |
keystone: milestone |
|
folsom-2 |
|
2012-06-03 17:17:01 |
Dolph Mathews |
keystone: status |
Triaged |
Confirmed |
|
2012-06-03 17:17:01 |
Dolph Mathews |
keystone: assignee |
|
Dolph Mathews (dolph) |
|
2012-06-03 17:32:00 |
OpenStack Infra |
keystone: status |
Confirmed |
In Progress |
|
2012-06-04 09:19:31 |
Alan Pevec |
tags |
|
essex-backport |
|
2012-06-08 17:00:05 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Committed |
|
2012-07-04 08:22:19 |
Thierry Carrez |
keystone: status |
Fix Committed |
Fix Released |
|
2012-07-05 16:04:44 |
OpenStack Infra |
tags |
essex-backport |
essex-backport in-stable-essex |
|
2012-07-24 20:58:01 |
Mark McLoughlin |
nominated for series |
|
keystone/essex |
|
2012-07-24 20:58:01 |
Mark McLoughlin |
bug task added |
|
keystone/essex |
|
2012-07-24 20:58:16 |
Mark McLoughlin |
keystone/essex: status |
New |
Fix Committed |
|
2012-08-07 23:13:36 |
Mark McLoughlin |
keystone/essex: milestone |
|
2012.1.2 |
|
2012-08-07 23:14:02 |
Mark McLoughlin |
keystone/essex: importance |
Undecided |
Critical |
|
2012-08-10 06:01:52 |
Mark McLoughlin |
keystone/essex: status |
Fix Committed |
Fix Released |
|
2012-08-21 16:50:16 |
Launchpad Janitor |
branch linked |
|
lp:~openstack-ubuntu-testing/keystone/precise-essex-proposed |
|
2012-08-22 20:50:53 |
Chuck Short |
bug task added |
|
keystone (Ubuntu) |
|
2012-08-22 20:51:05 |
Chuck Short |
nominated for series |
|
Ubuntu Precise |
|
2012-08-22 20:51:05 |
Chuck Short |
bug task added |
|
keystone (Ubuntu Precise) |
|
2012-08-22 20:51:05 |
Chuck Short |
nominated for series |
|
Ubuntu Quantal |
|
2012-08-22 20:51:05 |
Chuck Short |
bug task added |
|
keystone (Ubuntu Quantal) |
|
2012-08-23 00:25:55 |
Ubuntu Foundations Team Bug Bot |
tags |
essex-backport in-stable-essex |
essex-backport in-stable-essex patch |
|
2012-08-23 00:26:03 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2012-08-24 13:30:22 |
Dave Walker |
keystone (Ubuntu): status |
New |
Fix Released |
|
2012-08-24 13:30:28 |
Dave Walker |
keystone (Ubuntu Precise): status |
New |
Confirmed |
|
2012-08-24 19:13:00 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/keystone |
|
2012-08-30 07:25:35 |
Adam Gandelman |
attachment added |
|
2012.1+stable~20120824-a16a0ab9-0ubuntu2.log https://bugs.launchpad.net/bugs/1006815/+attachment/3283183/+files/2012.1%2Bstable%7E20120824-a16a0ab9-0ubuntu2.log |
|
2012-08-30 07:25:37 |
Adam Gandelman |
tags |
essex-backport in-stable-essex patch |
essex-backport in-stable-essex patch verification-done |
|
2012-09-03 15:22:16 |
Launchpad Janitor |
keystone (Ubuntu Precise): status |
Confirmed |
Fix Released |
|
2012-09-12 03:22:33 |
Jason Xu |
removed subscriber Jason Xu |
|
|
|
2012-09-27 13:44:54 |
Russell Bryant |
security vulnerability |
no |
yes |
|
2012-09-27 15:03:11 |
Thierry Carrez |
keystone: milestone |
folsom-2 |
2012.2 |
|
2012-09-27 18:10:54 |
Russell Bryant |
cve linked |
|
2012-4456 |
|
2012-09-28 16:01:52 |
Joseph Heck |
description |
Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token
we can get the same result without a token in HTTP head.
Eg:
without a token
jason@ubuntu:~/project/keystone$ curl http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 72 100 72 0 0 308 0 --:--:-- --:--:-- --:--:-- 346
{
"roles": [
{
"id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
"name": "admin"
}
]
}
with token
jason@ubuntu:~/project/keystone$ curl -H "X-Auth-Token:ecab59a3f4e2468b9934c24f8660a809" http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 72 100 72 0 0 242 0 --:--:-- --:--:-- --:--:-- 270
{
"roles": [
{
"id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
"name": "admin"
}
]
}
What we expect:
without a token
jason@ubuntu:~/project/keystone$ curl http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 116 100 116 0 0 848 0 --:--:-- --:--:-- --:--:-- 1026
{
"error": {
"code": 401,
"message": "The request you have made requires authentication.",
"title": "Not Authorized"
}
}
Attached is a diff of the changes. |
Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate the authentication token before returning a response.
i.e. we can get the same result without a token in HTTP head.
Eg:
without a token
jason@ubuntu:~/project/keystone$ curl http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 72 100 72 0 0 308 0 --:--:-- --:--:-- --:--:-- 346
{
"roles": [
{
"id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
"name": "admin"
}
]
}
with token
jason@ubuntu:~/project/keystone$ curl -H "X-Auth-Token:ecab59a3f4e2468b9934c24f8660a809" http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 72 100 72 0 0 242 0 --:--:-- --:--:-- --:--:-- 270
{
"roles": [
{
"id": "06906f69ffd44ad0b9fc86d1c3d1bcbd",
"name": "admin"
}
]
}
What we expect:
without a token
jason@ubuntu:~/project/keystone$ curl http://0.0.0.0:35357/v2.0/tenants/1f73672bf2184a909abc8fe67e7a537d/users/b84f6dbb6d7b4130a8a9e9298ec96164/roles | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 116 100 116 0 0 848 0 --:--:-- --:--:-- --:--:-- 1026
{
"error": {
"code": 401,
"message": "The request you have made requires authentication.",
"title": "Not Authorized"
}
}
Attached is a diff of the changes. |
|
2013-06-07 15:40:47 |
Thierry Carrez |
summary |
Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token |
[OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token |
|
2013-06-07 15:41:35 |
Thierry Carrez |
bug task added |
|
ossa |
|
2013-06-07 15:41:48 |
Thierry Carrez |
ossa: status |
New |
Fix Released |
|
2013-06-07 15:41:48 |
Thierry Carrez |
ossa: assignee |
|
Russell Bryant (russellb) |
|