Comment 5 for bug 1050025
Revision history for this message
| Joseph Heck (heckj) wrote Re: Potential problem with fix for "Revoking a role does not affect existing tokens (CVE-2012-4413)" | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
[08:39am] ttx: user A has a token for tenant B. Admin of tenant C grants A access to C, effectively disabling the token A had for B ?
[08:39am] dolphm: ttx: sure, the user can just re-auth though
[08:39am] ttx: dolphm: letting /anyone/ disabling any token sounds a bit... abusive to me
[08:39am] ttx: and potentially something a bad guy would want to do
[08:40am] ayoung: dolphm, why not filter the list by tenant_id?
[08:40am] ttx: not very critical in its effect, for sure
[08:40am] dolphm: ttx: "anyone" being any admin, and "any token" being for a specific user
...
[08:43am] ttx: dolphm: oh. So a random user can't become the "admin" of a tenant and grant random users access to his tenant ?
[08:43am] dolphm: ttx: not in identity api v2 / current keystone impl
[08:43am] ttx: dolphm: you have to be the god of all keystone to grant roles ? In which case I agree there is no vector
[08:43am] ttx: and no impact
[08:43am] heckj: ttx: with the V2 API, that's correct