** Changed in: keystone
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1187198
Title:
V3 policy engine does not support domain isolation of roles while
policy evaluation.
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
It seems while evaluating API access rights, policy engine only look
for the roles in in coming credential (X-Auth-token) but does not
consider domain of the target.
Scenario There are
1. There is a role defined is system call "user_creator" and policy is setup
for this role for "identity:create_domain" API.
2. There are two domains Da and Db in system.
3. In domain Da there is a user Ua. Ua has "user_creator" on Da domains.
4. Ua gets token scoped to Da and hence his credential has "user_creator"
role.
5. Now Ua is using "POST /users" to create a user (support Ub) in domain Db.
#5 should fail because in reality Ua does not have "user_creator" role
in Db but it succeeded due to this bug.
Note, this is true for all relevant APIs.
Seems a security vulnerability
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1187198/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
