** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1242597
Title:
[OSSA 2013-032] Keystone trust circumvention through EC2-style tokens
(CVE-2013-6391)
Status in OpenStack Identity (Keystone):
Fix Committed
Status in Keystone havana series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
So I finally got around to investigating the scenario I mentioned in
https://review.openstack.org/#/c/40444/, and unfortunately it seems
that the ec2tokens API does indeed provide a way to circumvent the
role delegation provided by trusts, and obtain all the roles of the
trustor user, not just those explicitly delegated.
Steps to reproduce:
- Trustor creates a trust delegating a subset of roles
- Trustee gets a token scoped to that trust
- Trustee creates an ec2-keypair
- Trustee makes a request to the ec2tokens API, to validate a signature
created with the keypair
- ec2tokens API returns a new token, which is not scoped to the trust and
enables access to all the trustor's roles.
I can provide some test code which demonstrates the issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1242597/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
