OpenStack Identity (keystone)

'Adminness' is not asserted when validating non-PKI tokens

Bug #1030968 reported by Dolph Mathews on 2012-07-30

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Critical	Dolph Mathews	OpenStack Identity (keystone) 2012.2 "folsom"

Bug Description

After the introduction of PKI (see bcc0f6d6fc1f674bc4b340d041b28bc1cfddf66a), it became possible to validate non-PKI tokens on the admin API without actually being an admin due to the admin assertion being moved into an if-block.

The following two resources are affected (but only for non-PKI tokens):

GET /tokens/{token_id}
HEAD /tokens/{token_id}

See keystone/service.py line 472: https://github.com/openstack/keystone/commit/bcc0f6d6fc1f674bc4b340d041b28bc1cfddf66a

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-07-30: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10551

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-07-31: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/10545
Committed: http://github.com/openstack/keystone/commit/ba8f351c6b72c2c49b070bf5e5551ff26fd3402b
Submitter: Jenkins
Branch: master

commit ba8f351c6b72c2c49b070bf5e5551ff26fd3402b
Author: Dolph Mathews <email address hidden>
Date: Mon Jul 30 11:23:32 2012 -0500

Assert adminness on token validation (bug 1030968)

- Only affects non-PKI tokens

    - Includes style changes following bug 1003962
      - Fixed redundant imports & import order
      - Fixed single quote consistency
      - Fixed line continuations
      - Refactored a bit for readability

Change-Id: I2d2566c615919f4968fd5636744fdb613b8fa3ad

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-07-31:

Given that this was introduced 4 days ago and never in any milestone, can we consider this is not worth an advisory ?

Revision history for this message

Russell Bryant (russellb) wrote on 2012-08-03:

ttx: IMO, yes

Revision history for this message

Dolph Mathews (dolph) wrote on 2012-08-04:

ttx: +1 for not worthy

Thierry Carrez (ttx) on 2012-08-16

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-09-27

Changed in keystone:
milestone:	folsom-3 → 2012.2

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.