OpenStack Identity (keystone)

ec2tokens passes AWS Access Key ID twice

Bug #904526 reported by justinsb
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Won't Fix
Medium
Unassigned

Bug Description

The AWS Access Key Id is passed twice in the request to ec2tokens, once in the top-level 'access' key, and once in params / AWSAccessKeyId.

{"ec2Credentials": {"access": "e51d453d-e88d-ed8d-886f-f7f91f111a2d", "host": "192.168.1.104:8773", "verb": "POST", "params": {"SignatureVersion": "2", "AWSAccessKeyId": "e51d453d-e88d-ed8d-886f-f7f91f111a2d", "Timestamp": "2011-12-14T00:41:10Z", "SignatureMethod": "HmacSHA256", "Version": "2011-01-01", "Action": "DescribeInstances"}, "signature": "7V3HY0MlPnkxOJ7eNULbA9CiAGkO4ON9EHfVQeeIRq0=", "path": "/services/Cloud/"}}HTTP/1.1

Tags: legacy
Revision history for this message
Ziad Sawalha (ziad-sawalha) wrote :

Which of those two places would you expect it to be?

Changed in keystone:
status: New → Confirmed
milestone: none → essex-3
Revision history for this message
justinsb (justin-fathomdb) wrote :

I don't mind at all... just want to avoid the "man with two watches" problem and the potential security holes that might result if we checked one but used the other.

Revision history for this message
Harry Kim (harrykim) wrote :

.

Revision history for this message
Dolph Mathews (dolph) wrote :

Is one of them intended to continue support for a deprecated behavior?

Adam Young (ayoung)
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Ziad Sawalha (ziad-sawalha)
Changed in keystone:
milestone: essex-3 → essex-4
Joseph Heck (heckj)
Changed in keystone:
importance: Undecided → Medium
Joseph Heck (heckj)
tags: added: legacy
Joseph Heck (heckj)
Changed in keystone:
milestone: essex-4 → none
Revision history for this message
Adam Young (ayoung) wrote :

file keystone/middleware/ec2_token.py method EC2Token.__call__ generates the request
access = req.params['AWSAccessKeyId'] is explicitly culled out of the request. This is what is set in the json request:
        creds = {
            'ec2Credentials': {
                'access': access,
                'signature': signature,
                'host': req.host,
                'verb': req.method,
                'path': req.path,
                'params': auth_params,
            }

The value in Params comes from the auth_params = dict(req.params) which will include the value above. We could pop the AWSAccessKeyId out of there, just like

auth_params.pop('Signature')

On the receiving side, the implementation is done in keystone/contrib/ec2/core.py Ec2Controller:authenticate.

self._get_credentials(context, credentials['access']) is passed on, which maps to the access key in the above JSON. The fact that it is duplicated in the params is coincidental and ignored.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/39484

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

I think it's a bit late to see this "fixed" as we have no guarantee that api clients aren't dependent on the "wrong" value. If anything we should be testing to ensure that this bug remains and that the two values match.

Changed in keystone:
assignee: Adam Young (ayoung) → nobody
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.