[Openstack-security] [Bug 1791973] Re: User cannot list their own trusts

Adam Young 1791973 at bugs.launchpad.net
Fri Oct 26 16:53:46 UTC 2018


Looking at the policy check:

        # FIXME(lbragstad): Trusts have the ability to optionally include a
        # project, but until trusts deal with system scope it's not really
        # useful. For now, this should be a project only operation.
        scope_types=['project'],

It seems to me that this should be an unscoped only operation for users,
where they are listing their own trusts,  not scoped to a project.

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1791973

Title:
  User cannot list their own trusts

Status in OpenStack Identity (keystone):
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Heat and Admin users both commonly create trusts for other users.  But
  any application is capable of doing this, as it requires only a scoped
  token to create a trust, which users pass around regularly.

  If I am concerned that some other application (or unauthorized user)
  has created a trust with me as the trustor, I need to be able to
  confirm this.  If I cannot perform "trust list" and see the set of
  trusts that have me as a trustor, I am not able to clear out spurious
  ones.  Thus, I would not be aware of any trusts set up in my name.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1791973/+subscriptions




More information about the Openstack-security mailing list