Reviewed: https://review.opendev.org/728387 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=252c23b1b80bfbc0e9b54ac31a5b97c117cf3d77 Submitter: Zuul Branch: master
commit 252c23b1b80bfbc0e9b54ac31a5b97c117cf3d77 Author: Vishakha Agarwal <[email protected]> Date: Fri May 15 14:13:40 2020 +0530 Disable EC2 credentials access_id update Without this patch user can alter EC2 credential access_id and user cannot use it anymore as an ec2 auth token since EC2 credential access ID is used to calculate an ID of the "credential" [1] and it doesn't update the EC2 credential ID with new access ID. This leads to unwanted EC2 credentials stored in database. As per the discussion of keystone team [2] we decided to block patching of "access_id" attribute. [1] https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/users.py#L363 [2]http://eavesdrop.openstack.org/irclogs/%23openstack-meeting-alt/%23openstack-meeting-alt.2020-05-12.log.html#t2020-05-12T17:45:20 Closes-Bug: #1872753 Change-Id: I1f6ce3927c2881d9a2d7dcda3ccd29e0a82e45a9 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1872753 Title: Updating EC2 credential blob can lead to a ec2 credential id / credential id mismatch Status in OpenStack Identity (keystone): Fix Released Bug description: Updating ec2 credential blob field via "openstack credential set --data '***'" allows to update the EC2 credential access ID. Considering that EC2 credential access ID is used to calculate an ID of the "credential" (https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/users.py#L363, https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/common/utils.py#L101), the update action doesn't update the actual credential ID using a new access ID sha256sum. This can lead to invalid ec2 credentials. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1872753/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
