[Yahoo-eng-team] [Bug 1064914] Re: [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant

Morgan Fainberg Wed, 04 Jun 2014 16:42:18 -0700

** Changed in: keystone/essex
       Status: Fix Committed => Fix Released


-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1064914

Title:
  [OSSA-2012-018] Removing user from a tenant isn't invalidating user
  access to tenant

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Released
Status in Keystone folsom series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “keystone” package in Ubuntu:
  Fix Released
Status in “keystone” source package in Quantal:
  Fix Released

Bug description:
  Was: (Able to access ec2 resources with out a user-role)

  Steps to reproduce:

  1.I have created a user,tenant and ec2 credentials using keystone and didnt 
associated a role
  then try to run
  $ euca-describe-images
  Unauthorized: Failure communicating with keystone2

  2.then  associated a role to the user
  $keystone user-role-add --user-id ee32bff3e1524a2b82fe804aac0ce682 
--tenant-id cf38a72df8a14bb8984c699edfceb1c3 --role-id 
26760c0f9ed045fcb70112f7b16813b3

  3.then again I ran
  $ euca-describe-images
  IMAGE ami-00000002    None (cirros-0.3.0-x86_64-uec)  
597b866b450d491f889b9432a564e9a9        available       public                  
machineaki-00000001     ari-00000003            instance-store
  IMAGE ari-00000003    None (cirros-0.3.0-x86_64-uec-ramdisk)  
597b866b450d491f889b9432a564e9a9        available       public                  
ramdisk                         instance-store
  IMAGE aki-00000001    None (cirros-0.3.0-x86_64-uec-kernel)   
597b866b450d491f889b9432a564e9a9        available       public                  
kernel                          instance-store

  4.remove the user-role
  keystone user-role-delete --user-id ee32bff3e1524a2b82fe804aac0ce682 
--tenant-id cf38a72df8a14bb8984c699edfceb1c3 --role-id 
26760c0f9ed045fcb70112f7b16813b3

  5.now the user doesn't have any role associated,now again run
   $ euca-describe-images
  IMAGE ami-00000002    None (cirros-0.3.0-x86_64-uec)  
597b866b450d491f889b9432a564e9a9        available       public                  
machineaki-00000001     ari-00000003            instance-store
  IMAGE ari-00000003    None (cirros-0.3.0-x86_64-uec-ramdisk)  
597b866b450d491f889b9432a564e9a9        available       public                  
ramdisk                         instance-store
  IMAGE aki-00000001    None (cirros-0.3.0-x86_64-uec-kernel)   
597b866b450d491f889b9432a564e9a9        available       public                  
kernel                          instance-store

  here user should get the message as in step 2 but it was successful.

  not sure if this is a bug with keystone or ec2.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1064914/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1064914] Re: [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant

Reply via email to