git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1792047] Re: keystone rbacenforcer not populating policy dict with view args


The concern is the opposite of exploitable. It can lock keystone's api too
closed. It is security in that sense, it should be a tag I guess.

On Wed, Sep 12, 2018, 08:41 Jeremy Stanley <fungi at yuggoth.org> wrote:

> Is this considered exploitable (class A vulnerability report)? Or should
> it be using the security bugtag to indicate a hardening opportunity
> instead of the Public Security bug type?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https://bugs.launchpad.net/bugs/1792047
>
> Title:
>   keystone rbacenforcer not populating policy dict with view args
>
> Status in OpenStack Identity (keystone):
>   In Progress
> Status in OpenStack Identity (keystone) rocky series:
>   In Progress
> Status in OpenStack Identity (keystone) stein series:
>   In Progress
>
> Bug description:
>   The old @protected decorator pushed the view arguments into the
>   policy_dict for enforcement purposes[0]. This was missed in the new
>   RBACEnforcer.
>
>   [0]
>
> https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions
>

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1792047

Title:
  keystone rbacenforcer not populating policy dict with view args

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) rocky series:
  In Progress
Status in OpenStack Identity (keystone) stein series:
  In Progress

Bug description:
  The old @protected decorator pushed the view arguments into the
  policy_dict for enforcement purposes[0]. This was missed in the new
  RBACEnforcer.

  [0]
  https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions