[Openstack-security] [Bug 1625619] Re: It is possible to download key pair for other user at the same project
Tristan Cacqueray
tdecacqu at redhat.com
Tue Sep 27 15:16:29 UTC 2016
It seems like the download link does in fact create the key first, so
another user will download another (newly generated) key. Can someone
please confirm before we close this bug.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1625619
Title:
It is possible to download key pair for other user at the same project
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Identity (keystone):
New
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Bug was reproduced in mitaka openstack release.
Steps to reproduce:
1. Login to horizon.
2. Click Project-> Compute -> Access and Security
3. Click "Key Pairs" tab
4. Click "Create Key Pair" button, enter keypair name.
5. On the next screen with download key dialog copy URL from browser URL field
URL will be like
http://server/horizon/project/access_and_security/keypairs/<my key
pair name>/download
6. Click cancel to close download window.
7. Click Project->Compute->Instances.
8. In opened window select other key pair name from KEY PAIR column (it could be key pair for different user)
9. open new browser window, paste URL string from step 5.
10. Change in URL <my key pair name> with name obtained from step 8 and press enter
You will be prompted to download private key for other user.
It isn't correct user should be able to download only his own keys
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1625619/+subscriptions
More information about the Openstack-security
mailing list