** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => icehouse-1
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1186059
Title:
A Keystone user can't perform revoke_token operation due to absence
of target in context
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
The default policy file which comes with keystone has
"["user_id:%(user_id)s"]" rule define for "identity:revoke_token" API, but to
trigger this rule the user_id should be the target.
For all the below listed APIs there is not target set, the way it happens for
API like "GET /users/{user_id}", in this case "["user_id:%(user_id)s"]" rule
never triggered and hence a legitimate user can not perform below operations
for his own token.
identity:check_token
identity:validate_token
identity:revoke_token
This issue can lead to a security vulnerability because token will
stay active till its life.
Fix: In my opinion we should use "X-Subject-Token" which is coming in
the header to derive the target for auth check.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1186059/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
