Reviewed: https://review.opendev.org/725885 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6c73690f779a42a5c62914b6bc37f0ac2f41a3e3 Submitter: Zuul Branch: master
commit 6c73690f779a42a5c62914b6bc37f0ac2f41a3e3 Author: Colleen Murphy <[email protected]> Date: Thu Apr 16 20:35:46 2020 -0700 Ensure OAuth1 authorized roles are respected Without this patch, when an OAuth1 request token is authorized with a limited set of roles, the roles for the access token are ignored when the user uses it to request a keystone token. This means that user of an access token can use it to escallate their role assignments beyond what was authorized by the creator. This patch fixes the issue by ensuring the token model accounts for an OAuth1-scoped token and correctly populating the roles for it. Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e Closes-bug: #1873290 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1873290 Title: OAuth1 request token authorize silently ignores roles parameter Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describe users positions. OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token: $ openstack request token authorize usage: openstack request token authorize [-h] [-f {json,shell,table,value,yaml}] [-c COLUMN] [--noindent] [--prefix PREFIX] [--max-width <integer>] [--fit-width] [--print-empty] --request-key <request-key> --role <role> openstack request token authorize: error: the following arguments are required: --request-key, --role However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles. https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287 As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1873290/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
