Reviewed: https://review.openstack.org/459705 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2139639eeabc8f6941f4461fc87d609cde3118c2 Submitter: Jenkins Branch: master
commit 2139639eeabc8f6941f4461fc87d609cde3118c2 Author: Boris Bobrov <[email protected]> Date: Tue Apr 25 13:57:16 2017 +0000 Do not fetch group assignments without groups Without the change, the method fetched all assignments for a project or domain, regardless of who has the assignment, user or group. This led to situation when federated user without groups could scope a token with other user's rules. Return empty list of assignments if no groups were passed. Closes-Bug: 1677723 Change-Id: I65f5be915bef2f979e70b043bde27064e970349d ** Changed in: keystone Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1677723 Title: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673) Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: Keystone stable/ocata. Federation is used with the following mapping: http://paste.openstack.org/show/ou0GTGp9fTQIzcHtixUU/ . As you can see, all users get a _member_ role, which has almost no permissions, and this role is granted for the newly-created project. User admin@Default, with role admin in project admin@Default wants to do something for project "Dev project for [email protected]". admin@Default assigns themselves role admin on the project (openstack role assign --user admin --user-domain Default --project-id <id for Dev project for unprivileged@> admin) At this point, if federated user "[email protected]" gets a new token by going through federation and then scopes the token, they get a token with role admin. Here is an example of such token: http://paste.openstack.org/show/7vncdFywNmi6WZ9S7KXX/. In horizon it means they can see and do everything admin can do. There is no record about unprivileged user having role admin in the database. This assignment is not displayed in `openstack role assignment list`. The assignment only gets effective when a scoped token is requested. Workaround for the issue is to remove role admin from admin@Default on project "Dev project for unpriveledged@". Unprivileged user immediately loses admin privileges; the token is still valid, but there is no role "admin" in GET /v3/auth/tokens . To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1677723/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
