[Yahoo-eng-team] [Bug 2027729] [NEW] Federation docs for OIDC recommend implicit grant
Public bug reported: The documentation for setting up OIDC says to use id_token in OIDCResponseType instead of code (or omitting the line entirely since code is the default). https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configuring- apache-httpd-for-mod-auth-openidc Using implicit grant is not recommended as https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security- topics-09 What is recommended is Authorization Code with PKCE. ** Affects: keystone Importance: Undecided Status: Triaged ** Tags: documentation federation -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2027729 Title: Federation docs for OIDC recommend implicit grant Status in OpenStack Identity (keystone): Triaged Bug description: The documentation for setting up OIDC says to use id_token in OIDCResponseType instead of code (or omitting the line entirely since code is the default). https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configuring- apache-httpd-for-mod-auth-openidc Using implicit grant is not recommended as https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security- topics-09 What is recommended is Authorization Code with PKCE. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2027729/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1786646] Re: Domain Existence Leaking without authentication
** Changed in: keystone
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1786646
Title:
Domain Existence Leaking without authentication
Status in OpenStack Identity (keystone):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The Domain Configuration subsystem, specifically PATCH
/domains/{domain_id}/config/{group} appears to leak data before
enforcement. The method called from the routed path[0] performs a
"domain exists" check[1] before sending to the 'update_domain_config'
method [2] which is behind the @protected decorator.
This has the potential to be used to verify existence of domains by ID
without authentication. This is in-fact a data leak. However, since
domains (outside of "default" and the keystone-root domain) are uuids,
this is likely a C1 classification in the VMT Taxonomy [3] (Useful if
an attacker is guessing UUIDs). The only case where this is more
significant is that it can be used to determine if the default domain
is enabled/configured; the usefulness of such data is relatively
suspect and unlikely to be meaningful.
However, with all that said, since this is a potential security flaw,
the bug has been marked private security.
[0]
https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55
[1]
https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134
[2]
https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131
[3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1786646/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1877720] Re: test-bug
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1877720 Title: test-bug Status in OpenStack Identity (keystone): Invalid Bug description: ss To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1877720/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1877709] Re: test-bug
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1877709 Title: test-bug Status in OpenStack Identity (keystone): Invalid Bug description: I am noly want to test To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1877709/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1856190] Re: Logout button for use with SSO/Mellon based integrations
Hi Lorenzo, this is was a Horizon bug and is being tracked here. https://bugs.launchpad.net/horizon/+bug/1747149 ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1856190 Title: Logout button for use with SSO/Mellon based integrations Status in OpenStack Identity (keystone): Invalid Bug description: Keystone WebSSO - SAML/Mellon integration Looks like the Horizon logout doesn't affect the IdP session which is not invalidated. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1856190/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1809116] [NEW] Renewable Application Credentials
Public bug reported: This bug is used for tracking the progress of the application credential feature in keystone. Summary === Allow creation of applications credentials based on the authorization of mapped group assignments. The application credentials will require the user who created the application credential to log in with the same authorization in the external identity provider, in order to renew it. ** Affects: keystone Importance: Undecided Assignee: Kristi Nikolla (knikolla) Status: New ** Tags: federation -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1809116 Title: Renewable Application Credentials Status in OpenStack Identity (keystone): New Bug description: This bug is used for tracking the progress of the application credential feature in keystone. Summary === Allow creation of applications credentials based on the authorization of mapped group assignments. The application credentials will require the user who created the application credential to log in with the same authorization in the external identity provider, in order to renew it. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1809116/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1776161] Re: my own test bug
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1776161 Title: my own test bug Status in OpenStack Identity (keystone): Invalid Bug description: a bug for test by myself To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1776161/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1760205] [NEW] A deleted federated user cannot be recreated for some time
Public bug reported: When you delete a shadow user and the user tries to log in again through federation, they'll get a can't find user error. Retrying after 10 (or so) minutes works. My Setup 1. devstack-idp is the identity provider for service provider devstack-sp1, using Keystone to Keystone (SAML) with Shibboleth 2. user-idp gets a SAML assertion from devstack-idp keystone and uses that to authenticate with devstack-sp1 keystone. 3. devstack-sp1 create shadow user user-sp1. 4. admin deletes user-sp1 in devstack-sp1. 5. Step two is performed again 6. user-idp gets a 'Could not find user ' from devstack-sp1. 7. After 10 (or so) minutes user tries again, this time it works and he is able to authenticate to (id of this user-sp1 is different than the prior one). ** Affects: keystone Importance: Undecided Status: New ** Tags: federation -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1760205 Title: A deleted federated user cannot be recreated for some time Status in OpenStack Identity (keystone): New Bug description: When you delete a shadow user and the user tries to log in again through federation, they'll get a can't find user error. Retrying after 10 (or so) minutes works. My Setup 1. devstack-idp is the identity provider for service provider devstack-sp1, using Keystone to Keystone (SAML) with Shibboleth 2. user-idp gets a SAML assertion from devstack-idp keystone and uses that to authenticate with devstack-sp1 keystone. 3. devstack-sp1 create shadow user user-sp1. 4. admin deletes user-sp1 in devstack-sp1. 5. Step two is performed again 6. user-idp gets a 'Could not find user ' from devstack-sp1. 7. After 10 (or so) minutes user tries again, this time it works and he is able to authenticate to (id of this user-sp1 is different than the prior one). To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1760205/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1754048] [NEW] Federated domain is reported when validating a federated token
Public bug reported: Prior to introducing per idp domains, all federated users lived in the Federated domain. That is not the case anymore but Keystone keeps reporting that federated users are part of that domain rather their per- idp domains. Token validation: http://paste.openstack.org/show/693652/ ** Affects: keystone Importance: Undecided Status: New ** Tags: federation -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1754048 Title: Federated domain is reported when validating a federated token Status in OpenStack Identity (keystone): New Bug description: Prior to introducing per idp domains, all federated users lived in the Federated domain. That is not the case anymore but Keystone keeps reporting that federated users are part of that domain rather their per-idp domains. Token validation: http://paste.openstack.org/show/693652/ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1754048/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1747149] [NEW] LOGOUT_URL setting has no effect
Public bug reported: Setting LOGOUT_URL in `etc/openstack-dashboard/local_settings.py` has no effect on the URL displayed in the dropdown menu. It still points to `/dashboard/auth/logout/`. Setting this value is important when using SSO so as to redirect the user to the SSO logout page, and then having that page redirect the user back to `/dashboard/auth/logout/` to unset the session cookies. I'm currently doing a workaround where I alias that path in the apache configuration, unset the headers, and redirect the user to my SSO logout page. ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1747149 Title: LOGOUT_URL setting has no effect Status in OpenStack Dashboard (Horizon): New Bug description: Setting LOGOUT_URL in `etc/openstack-dashboard/local_settings.py` has no effect on the URL displayed in the dropdown menu. It still points to `/dashboard/auth/logout/`. Setting this value is important when using SSO so as to redirect the user to the SSO logout page, and then having that page redirect the user back to `/dashboard/auth/logout/` to unset the session cookies. I'm currently doing a workaround where I alias that path in the apache configuration, unset the headers, and redirect the user to my SSO logout page. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1747149/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1738895] [NEW] Filtering by name doesn't work for federated users when listing
Public bug reported: When attempting to filter users by name, it works for local users, but doesn't work for federated users. Pasted shell session shows: 1. Listing all users shows federated users too. 2. Filtering by name a federated user doesn't work. 3. Filtering by name a local user works. http://paste.openstack.org/show/629249/ ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1738895 Title: Filtering by name doesn't work for federated users when listing Status in OpenStack Identity (keystone): New Bug description: When attempting to filter users by name, it works for local users, but doesn't work for federated users. Pasted shell session shows: 1. Listing all users shows federated users too. 2. Filtering by name a federated user doesn't work. 3. Filtering by name a local user works. http://paste.openstack.org/show/629249/ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1738895/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1696111] Re: Keystone confuses users when creating a trust when there's a roles name conflict
Also affects python-keystoneclient as it only support names. [0] Agree that the correct solution is to allow ids also. 0. https://github.com/openstack/python- keystoneclient/blob/71af540c81ecb933d912ef5ecde128afcc0deeeb/keystoneclient/v3/contrib/trusts.py#L41 ** Also affects: python-keystoneclient Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1696111 Title: Keystone confuses users when creating a trust when there's a roles name conflict Status in OpenStack Identity (keystone): Triaged Status in python-keystoneclient: New Status in python-openstackclient: New Bug description: Due to code [1] Keystone produces a confusing message when: * We're using python-openstackclient * We're creating a trust with a role name that exists in more that one domain. "role %s is not defined" suggests that there isn't a role like that. What actually happens, Keystone cannot decide which role is the user's choice. python-openstackclient automatically converts role ids to role names when sending a POST request, so specifying roles using an id doesn't help at all. [1] https://github.com/openstack/keystone/blob/03319d1/keystone/trust/controllers.py#L90-L94 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1696111/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1676497] [NEW] bindep returns wrong package name for libssl-dev in redhat
Public bug reported: The libssl-dev package is registered in bindep.txt for both ubuntu and rpm distros. The actual name of the package in red hat distros is openssl-devel. [fedora@desire keystone]$ bindep platform:rpm Missing packages: libssl-dev ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1676497 Title: bindep returns wrong package name for libssl-dev in redhat Status in OpenStack Identity (keystone): New Bug description: The libssl-dev package is registered in bindep.txt for both ubuntu and rpm distros. The actual name of the package in red hat distros is openssl-devel. [fedora@desire keystone]$ bindep platform:rpm Missing packages: libssl-dev To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1676497/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1544721] [NEW] Policy for listing service providers requires admin
Public bug reported:
When creating a v3 keystoneclient using non admin credentials I'm able
to get the list of service providers from the service catalog, but the
policy doesn't allow to list or get service providers by default.
>>> ksclient2.service_catalog.catalog[u'service_providers']
[{u'sp_url': u'http://xxx.xxx.xxx.xxx:5000/Shibboleth.sso/SAML2/ECP',
u'auth_url':
u'http://xxx.xxx.xxx.xxx:35357/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth',
u'id': u'keystone-sp'}]
>>> ksclient2.federation.service_providers.list()
Traceback (most recent call last):
File "", line 1, in
File
"/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/contrib/federation/service_providers.py",
line 76, in list
return super(ServiceProviderManager, self).list(**kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line
75, in func
return f(*args, **new_kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line
388, in list
self.collection_key)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line
124, in _list
resp, body = self.client.get(url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line
170, in get
return self.request(url, 'GET', **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line
206, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line
95, in request
return self.session.request(url, method, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line
337, in inner
return func(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", line
405, in request
raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the
requested action: identity:list_service_providers (Disable debug mode to
suppress these details.) (HTTP 403) (Request-ID:
req-485c64e6-5de1-4470-9439-e05275a350fa)
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1544721
Title:
Policy for listing service providers requires admin
Status in OpenStack Identity (keystone):
New
Bug description:
When creating a v3 keystoneclient using non admin credentials I'm able
to get the list of service providers from the service catalog, but the
policy doesn't allow to list or get service providers by default.
>>> ksclient2.service_catalog.catalog[u'service_providers']
[{u'sp_url': u'http://xxx.xxx.xxx.xxx:5000/Shibboleth.sso/SAML2/ECP',
u'auth_url':
u'http://xxx.xxx.xxx.xxx:35357/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth',
u'id': u'keystone-sp'}]
>>> ksclient2.federation.service_providers.list()
Traceback (most recent call last):
File "", line 1, in
File
"/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/contrib/federation/service_providers.py",
line 76, in list
return super(ServiceProviderManager, self).list(**kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line
75, in func
return f(*args, **new_kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line
388, in list
self.collection_key)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line
124, in _list
resp, body = self.client.get(url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py",
line 170, in get
return self.request(url, 'GET', **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py",
line 206, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py",
line 95, in request
return self.session.request(url, method, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line
337, in inner
return func(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py",
line 405, in request
raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform
the requested action: identity:list_service_providers (Disable debug mode to
suppress these details.) (HTTP 403) (Request-ID:
req-485c64e6-5de1-4470-9439-e05275a350fa)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1544721/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe :
