I just looked through reviewboard and didn't see any patches pending review.
-joe
On Aug 27, 2012, at 2:16 PM, Russell Bryant <email address hidden> wrote: > We need a couple of keystone-core reviews on these patches. > > Here is a draft description. Right now it's mostly one long awkward > sentence. There's probably a more elegant way of describing it ... > > > Title: Revoking a role does not affect existing tokens > Impact: High > Reporter: Dolph Mathews (Rackspace) > Products: Keystone > Affects: Essex, Folsom > > Description: > Dolph Mathews reported a vulnerability in Keystone. If you revoke a role from a user from the admin API and then validate a token that existed before revoking the role, the token validation response will still include that role. > > -- > You received this bug notification because you are a member of Keystone > Bugs, which is subscribed to the bug report. > https://bugs.launchpad.net/bugs/1041396 > > Title: > Token validation includes revoked roles > > Status in OpenStack Identity (Keystone): > In Progress > > Bug description: > To reproduce: > 1) Initial setup: http://paste.openstack.org/raw/20477/ > 2) Authenticate as a normal user, generating a token > 3) On the admin API, revoke a role from that user > 4) On the admin API, validate the user's generated token > > The revoked role is included in the validation response. Ideally, the > token should be entirely invalidated and return 404, although at the > very least, the revoked role should *NOT* be included in the > validation response. > > Full example: > > Authenticate as a user who has been granted the 'manager' role: > > POST http://127.0.0.1:5000/v2.0/tokens > ====================================== > > Content-Type: application/json > > { > "auth": { > "tenantName": "project-x", > "passwordCredentials": { > "username": "joe", > "password": "secret" > } > } > } > > 200 OK > ====== > > Date: Fri, 24 Aug 2012 22:43:24 GMT > Vary: X-Auth-Token > Content-Length: 448 > Status: 200 > Content-Type: application/json > > { > "access": { > "token": { > "expires": "2012-08-25T22:43:24Z", > "id": "c0db082bdb7f47e4845d7be551558620", > "tenant": { > "id": "10e2a090121748388cf39e915d376f29", > "enabled": true, > "description": null, > "name": "project-x" > } > }, > "serviceCatalog": {}, > "user": { > "username": "joe", > "roles_links": [], > "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6", > "roles": [ > { > "name": "manager" > } > ], > "name": "joe" > }, > "metadata": { > "is_admin": 0, > "roles": [ > "facd80ce22d44eae87375f11295f8e51" > ] > } > } > } > > Validate the user's token (note the presence of the 'manager' role): > > GET http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620 > ======================================================================= > > X-Auth-Token: ADMIN > > > 200 OK > ====== > > Status: 200 > Content-Length: 490 > Content-Location: http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620 > Vary: X-Auth-Token > Date: Fri, 24 Aug 2012 22:44:01 GMT > Content-Type: application/json > > { > "access": { > "token": { > "expires": "2012-08-25T22:43:24Z", > "id": "c0db082bdb7f47e4845d7be551558620", > "tenant": { > "description": null, > "enabled": true, > "id": "10e2a090121748388cf39e915d376f29", > "name": "project-x" > } > }, > "serviceCatalog": {}, > "user": { > "username": "joe", > "roles_links": [], > "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6", > "roles": [ > { > "id": "facd80ce22d44eae87375f11295f8e51", > "name": "manager" > } > ], > "name": "joe" > }, > "metadata": { > "is_admin": 0, > "roles": [ > "facd80ce22d44eae87375f11295f8e51" > ] > } > } > } > > As admin, revoke the 'manager' role from the user: > > $ keystone user-role-remove --user- > id=b2a6f8d5dbb249f3b9ac8a46e8cb77e6 --role- > id=facd80ce22d44eae87375f11295f8e51 --tenant- > id=10e2a090121748388cf39e915d376f29 > > As admin, the validation response remains unchanged (including the > revoked 'manager' role): > > GET http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620 > ======================================================================= > > X-Auth-Token: ADMIN > > > 200 OK > ====== > > Status: 200 > Content-Length: 490 > Content-Location: http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620 > Vary: X-Auth-Token > Date: Fri, 24 Aug 2012 22:44:46 GMT > Content-Type: application/json > > { > "access": { > "token": { > "expires": "2012-08-25T22:43:24Z", > "id": "c0db082bdb7f47e4845d7be551558620", > "tenant": { > "description": null, > "enabled": true, > "id": "10e2a090121748388cf39e915d376f29", > "name": "project-x" > } > }, > "serviceCatalog": {}, > "user": { > "username": "joe", > "roles_links": [], > "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6", > "roles": [ > { > "id": "facd80ce22d44eae87375f11295f8e51", > "name": "manager" > } > ], > "name": "joe" > }, > "metadata": { > "is_admin": 0, > "roles": [ > "facd80ce22d44eae87375f11295f8e51" > ] > } > } > } > > To manage notifications about this bug go to: > https://bugs.launchpad.net/keystone/+bug/1041396/+subscriptions
I just looked through reviewboard and didn't see any patches pending review.
-joe
On Aug 27, 2012, at 2:16 PM, Russell Bryant <email address hidden> wrote: /bugs.launchpad .net/bugs/ 1041396 paste.openstack .org/raw/ 20477/ 127.0.0. 1:5000/ v2.0/tokens ======= ======= ======= ======= === tials": { 25T22:43: 24Z", e4845d7be551558 620", 388cf39e915d376 f29", f3b9ac8a46e8cb7 7e6", ae87375f11295f8 e51" 127.0.0. 1:35357/ v2.0/tokens/ c0db082bdb7f47e 4845d7be5515586 20 ======= ======= ======= ======= ======= ======= ======= ======= ======= = 127.0.0. 1:35357/ v2.0/tokens/ c0db082bdb7f47e 4845d7be5515586 20 25T22:43: 24Z", e4845d7be551558 620", 388cf39e915d376 f29", f3b9ac8a46e8cb7 7e6", ae87375f11295f8 e51", ae87375f11295f8 e51" 49f3b9ac8a46e8c b77e6 --role- 4eae87375f11295 f8e51 --tenant- 48388cf39e915d3 76f29 127.0.0. 1:35357/ v2.0/tokens/ c0db082bdb7f47e 4845d7be5515586 20 ======= ======= ======= ======= ======= ======= ======= ======= ======= = 127.0.0. 1:35357/ v2.0/tokens/ c0db082bdb7f47e 4845d7be5515586 20 25T22:43: 24Z", e4845d7be551558 620", 388cf39e915d376 f29", f3b9ac8a46e8cb7 7e6", ae87375f11295f8 e51", ae87375f11295f8 e51" /bugs.launchpad .net/keystone/ +bug/1041396/ +subscriptions
> We need a couple of keystone-core reviews on these patches.
>
> Here is a draft description. Right now it's mostly one long awkward
> sentence. There's probably a more elegant way of describing it ...
>
>
> Title: Revoking a role does not affect existing tokens
> Impact: High
> Reporter: Dolph Mathews (Rackspace)
> Products: Keystone
> Affects: Essex, Folsom
>
> Description:
> Dolph Mathews reported a vulnerability in Keystone. If you revoke a role from a user from the admin API and then validate a token that existed before revoking the role, the token validation response will still include that role.
>
> --
> You received this bug notification because you are a member of Keystone
> Bugs, which is subscribed to the bug report.
> https:/
>
> Title:
> Token validation includes revoked roles
>
> Status in OpenStack Identity (Keystone):
> In Progress
>
> Bug description:
> To reproduce:
> 1) Initial setup: http://
> 2) Authenticate as a normal user, generating a token
> 3) On the admin API, revoke a role from that user
> 4) On the admin API, validate the user's generated token
>
> The revoked role is included in the validation response. Ideally, the
> token should be entirely invalidated and return 404, although at the
> very least, the revoked role should *NOT* be included in the
> validation response.
>
> Full example:
>
> Authenticate as a user who has been granted the 'manager' role:
>
> POST http://
> =======
>
> Content-Type: application/json
>
> {
> "auth": {
> "tenantName": "project-x",
> "passwordCreden
> "username": "joe",
> "password": "secret"
> }
> }
> }
>
> 200 OK
> ======
>
> Date: Fri, 24 Aug 2012 22:43:24 GMT
> Vary: X-Auth-Token
> Content-Length: 448
> Status: 200
> Content-Type: application/json
>
> {
> "access": {
> "token": {
> "expires": "2012-08-
> "id": "c0db082bdb7f47
> "tenant": {
> "id": "10e2a090121748
> "enabled": true,
> "description": null,
> "name": "project-x"
> }
> },
> "serviceCatalog": {},
> "user": {
> "username": "joe",
> "roles_links": [],
> "id": "b2a6f8d5dbb249
> "roles": [
> {
> "name": "manager"
> }
> ],
> "name": "joe"
> },
> "metadata": {
> "is_admin": 0,
> "roles": [
> "facd80ce22d44e
> ]
> }
> }
> }
>
> Validate the user's token (note the presence of the 'manager' role):
>
> GET http://
> =======
>
> X-Auth-Token: ADMIN
>
>
> 200 OK
> ======
>
> Status: 200
> Content-Length: 490
> Content-Location: http://
> Vary: X-Auth-Token
> Date: Fri, 24 Aug 2012 22:44:01 GMT
> Content-Type: application/json
>
> {
> "access": {
> "token": {
> "expires": "2012-08-
> "id": "c0db082bdb7f47
> "tenant": {
> "description": null,
> "enabled": true,
> "id": "10e2a090121748
> "name": "project-x"
> }
> },
> "serviceCatalog": {},
> "user": {
> "username": "joe",
> "roles_links": [],
> "id": "b2a6f8d5dbb249
> "roles": [
> {
> "id": "facd80ce22d44e
> "name": "manager"
> }
> ],
> "name": "joe"
> },
> "metadata": {
> "is_admin": 0,
> "roles": [
> "facd80ce22d44e
> ]
> }
> }
> }
>
> As admin, revoke the 'manager' role from the user:
>
> $ keystone user-role-remove --user-
> id=b2a6f8d5dbb2
> id=facd80ce22d4
> id=10e2a0901217
>
> As admin, the validation response remains unchanged (including the
> revoked 'manager' role):
>
> GET http://
> =======
>
> X-Auth-Token: ADMIN
>
>
> 200 OK
> ======
>
> Status: 200
> Content-Length: 490
> Content-Location: http://
> Vary: X-Auth-Token
> Date: Fri, 24 Aug 2012 22:44:46 GMT
> Content-Type: application/json
>
> {
> "access": {
> "token": {
> "expires": "2012-08-
> "id": "c0db082bdb7f47
> "tenant": {
> "description": null,
> "enabled": true,
> "id": "10e2a090121748
> "name": "project-x"
> }
> },
> "serviceCatalog": {},
> "user": {
> "username": "joe",
> "roles_links": [],
> "id": "b2a6f8d5dbb249
> "roles": [
> {
> "id": "facd80ce22d44e
> "name": "manager"
> }
> ],
> "name": "joe"
> },
> "metadata": {
> "is_admin": 0,
> "roles": [
> "facd80ce22d44e
> ]
> }
> }
> }
>
> To manage notifications about this bug go to:
> https:/