** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1417366
Title:
a normal user can get other user's ec2credential
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
https://github.com/openstack/keystone/blob/master/etc/policy.json#L65
Note that owner is only check if the user owns the passed token. In fact, we
should also check if the user owns the credential. The correct policy should be
the one ec2_delete_credential uses:
https://github.com/openstack/keystone/blob/master/etc/policy.json#L68
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1417366/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
