Reviewed: https://review.openstack.org/419693 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0f3f08c3df0dd6c32e685dae6726e945b01ea8c7 Submitter: Jenkins Branch: master
commit 0f3f08c3df0dd6c32e685dae6726e945b01ea8c7 Author: Morgan Fainberg <[email protected]> Date: Thu Jan 12 15:19:48 2017 -0800 Force use of AuthContext object in .authentcate() Force the keystone.auth.controllers.Auth.authenticate method to require the use of an AuthContext object instead of something duck-typed (dictionary). This is done to ensure the security and integrity of IDENTITY_KEYS are covered and values are not changed by a plugin due to the security built into AuthContext being circumvented since it was not used. This is not pythonic, this is being done for hardening purposes. Change-Id: I013846af59587d17b15ca4cf546e6372231f576e Closes-Bug: #1656076 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1656076 Title: The keystone server auth plugin methods could mismatch user_id in auth_context Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) mitaka series: Invalid Status in OpenStack Identity (keystone) newton series: Invalid Status in OpenStack Identity (keystone) ocata series: Fix Released Bug description: The keystone server blindly overwrites the auth_context.user_id in each auth method that is run. This means that the last auth_method that is run for a given authentication request dictates the user_id. While this is not exploitable externally without misconfiguration of the external plugin methods and supporting services, this is a bad state that could relatively easily result in someone ending up authenticated with the wrong user_id. The simplest fix will be to have the for loop in the authentication controller (that iterates over the methods) to verify the user_id does not change between auth_methods executed. https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557 This has been marked as public security for hardening purposes, likely a "Class D" https://security.openstack.org/vmt-process.html#incident- report-taxonomy To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
