Reviewed: https://review.openstack.org/459742 Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=53a4f33f8872b5bad05d26e63c323a31ad8189b4 Submitter: Jenkins Branch: master
commit 53a4f33f8872b5bad05d26e63c323a31ad8189b4 Author: Tristan Cacqueray <[email protected]> Date: Tue Apr 25 14:02:09 2017 +0000 Adds OSSA-2017-004 (CVE-2017-2673) Change-Id: I8c1166125c7c1e206eefbe518be7bff3376c055c Closes-Bug: #1677723 ** Changed in: ossa Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1677723 Title: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673) Status in OpenStack Identity (keystone): Confirmed Status in OpenStack Security Advisory: Fix Released Bug description: Keystone stable/ocata. Federation is used with the following mapping: http://paste.openstack.org/show/ou0GTGp9fTQIzcHtixUU/ . As you can see, all users get a _member_ role, which has almost no permissions, and this role is granted for the newly-created project. User admin@Default, with role admin in project admin@Default wants to do something for project "Dev project for [email protected]". admin@Default assigns themselves role admin on the project (openstack role assign --user admin --user-domain Default --project-id <id for Dev project for unprivileged@> admin) At this point, if federated user "[email protected]" gets a new token by going through federation and then scopes the token, they get a token with role admin. Here is an example of such token: http://paste.openstack.org/show/7vncdFywNmi6WZ9S7KXX/. In horizon it means they can see and do everything admin can do. There is no record about unprivileged user having role admin in the database. This assignment is not displayed in `openstack role assignment list`. The assignment only gets effective when a scoped token is requested. Workaround for the issue is to remove role admin from admin@Default on project "Dev project for unpriveledged@". Unprivileged user immediately loses admin privileges; the token is still valid, but there is no role "admin" in GET /v3/auth/tokens . To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1677723/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
