Reviewed: https://review.openstack.org/585782 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=df5d75571ed274b2964ed52048768c6d9f24d138 Submitter: Zuul Branch: master
commit df5d75571ed274b2964ed52048768c6d9f24d138 Author: Lance Bragstad <[email protected]> Date: Wed Jul 25 15:07:16 2018 +0000 Reduce duplication in federated auth APIs The GET /v3/OS-FEDERATION/projects and GET /v3/OS-FEDERATION/domains APIs were introduced to handle tokens from federated users, but now that GET /v3/auth/projects and GET /v3/auth/domains know how to handle federated tokens, they're just duplicate APIs. In the past we deprecated these federated auth APIs, but they still used separate code paths from GET /v3/auth/projects and GET /v3/auth/domains. The two code paths are true duplication in that they don't expect to differ over time and should provide the same user experience. Instead of running the risk that comes with two code paths that do the same thing, we should consolidate them. Co-Authored-By: Kristi Nikolla <[email protected]> Closes-Bug: 1779205 Change-Id: Ib906c42e1dd2c2408ccd2e256ffd876af02af3fe ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1779205 Title: [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432) Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Fix Committed Bug description: The /v3/OS-FEDERATION/projects API was developed to let federated users discover what projects they have access to. This mirrored a similar API in keystone, v3/auth/projects. Both were intended to behave the same way, by only returning what projects a user has a role assignment on. Eventually the /v3/OS-FEDERATION/projects API was deprecated after the /v3/auth/projects API was able to support federated tokens. The /v3/OS-FEDERATION/projects API appears to be broken because it returns all projects in the deployment, not just the ones a user has access to. The following recreates the issue: lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml clouds: devstack: auth: auth_url: http://192.168.1.5/identity password: nomoresecret project_domain_id: default project_name: demo user_domain_id: default username: demo identity_api_version: '3' region_name: RegionOne volume_api_version: '2' devstack-admin: auth: auth_url: http://192.168.1.5/identity password: nomoresecret project_domain_id: default project_name: admin user_domain_id: default username: admin identity_api_version: '3' region_name: RegionOne volume_api_version: '2' devstack-alt: auth: auth_url: http://192.168.1.5/identity password: nomoresecret project_domain_id: default project_name: alt_demo user_domain_id: default username: alt_demo identity_api_version: '3' region_name: RegionOne volume_api_version: '2' lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin +-------------+------------------+-------------------+----------------------------+---------+-----------+ | Role | User | Group | Project | Domain | Inherited | +-------------+------------------+-------------------+----------------------------+---------+-----------+ | member | | nonadmins@Default | demo@Default | | False | | anotherrole | | nonadmins@Default | demo@Default | | False | | member | | nonadmins@Default | alt_demo@Default | | False | | anotherrole | | nonadmins@Default | alt_demo@Default | | False | | admin | | admins@Default | admin@Default | | False | | admin | admin@Default | | demo@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | admin@Default | | alt_demo@Default | | False | | admin | admin@Default | | | Default | False | | member | demo@Default | | demo@Default | | False | | anotherrole | demo@Default | | demo@Default | | False | | member | demo@Default | | invisible_to_admin@Default | | False | | member | alt_demo@Default | | alt_demo@Default | | False | | anotherrole | alt_demo@Default | | alt_demo@Default | | False | | admin | admin@Default | | | | False | +-------------+------------------+-------------------+----------------------------+---------+-----------+ lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-28T21:03:47+0000 | | id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w | | project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 | | user_id | cef2773684114d55a6399e928ecc78e4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE- uuESisyzj36w' lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906 { "links": { "next": null, "previous": null, "self": "http://192.168.1.5/identity/v3/auth/projects"; }, "projects": [ { "description": "", "domain_id": "default", "enabled": true, "id": "44053df0d12f4ba0aa4c28c3364aa1a1", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"; }, "name": "demo", "parent_id": "default", "tags": [] }, { "description": "", "domain_id": "default", "enabled": true, "id": "8c92de6ab3884f94b508ce2f2dd62c4d", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"; }, "name": "invisible_to_admin", "parent_id": "default", "tags": [] } ] } lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638 { "links": { "next": null, "previous": null, "self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects"; }, "projects": [ { "description": "", "domain_id": "default", "enabled": true, "id": "44053df0d12f4ba0aa4c28c3364aa1a1", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1"; }, "name": "demo", "parent_id": "default", "tags": [] }, { "description": "Bootstrap project for initializing the cloud.", "domain_id": "default", "enabled": true, "id": "681b94352ed146b5ac37c152653e90d2", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2"; }, "name": "admin", "parent_id": "default", "tags": [] }, { "description": "", "domain_id": "default", "enabled": true, "id": "9a742b4684dc4c8a90dc4896f9ab178e", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e"; }, "name": "alt_demo", "parent_id": "default", "tags": [] }, { "description": "", "domain_id": "default", "enabled": true, "id": "8c92de6ab3884f94b508ce2f2dd62c4d", "is_domain": false, "links": { "self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d"; }, "name": "invisible_to_admin", "parent_id": "default", "tags": [] } ] } Notice that I used the devstack cloud config, which specifies the demo user who only has the `member` and `anotherrole` assigned on two projects (demo and invisible_to_admin). In no way should they have access to view all projects in the deployment. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1779205/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
