[Openstack-security] [Bug 1703369] Re: get_identity_providers policy should be singular
OpenStack Infra
1703369 at bugs.launchpad.net
Wed Apr 25 09:39:00 UTC 2018
Fix proposed to branch: master
Review: https://review.openstack.org/564150
** Changed in: horizon
Status: New => In Progress
** Changed in: horizon
Assignee: (unassigned) => Radomir Dopieralski (deshipu)
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1703369
Title:
get_identity_providers policy should be singular
Status in OpenStack Dashboard (Horizon):
In Progress
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) newton series:
Fix Committed
Status in OpenStack Identity (keystone) ocata series:
Fix Committed
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
identity:get_identity_providers should be
identity:get_identity_provider (singular) since a GET is targeted on a
single provider and the code is setup to check for
identity:get_identity_provider (singular). See
https://github.com/openstack/keystone/blob/c7e29560b7bf7a44e44722eea0645bf18ad56af3/keystone/federation/controllers.py#L112
found in master (pike)
The ocata default policy.json also has this problem. Unless someone
manually overrode policy to specify identity:get_identity_provider
(singular), the result would be that the default rule was actually
used for that check instead of identity:get_identity_providers. We
could go back and fix the default policy.json for past releases, but
the default actually has the same value as
identity:get_identity_providers, and if nobody has complained it's
probably safer to just leave it. It is, after all, just defaults there
and anyone can override by specifying the correct value.
But we must fix in pike to go along with the shift of policy into
code. Policy defaults in code definitely need to match up with what
the code actually checks. There should no longer be any reliance on
the default rule.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1703369/+subscriptions
More information about the Openstack-security
mailing list