Fix proposed to branch: stable/queens Review: https://review.opendev.org/726435 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1872755 Title: ec2 credential "trust_id" can be updated to null Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Similar to https://bugs.launchpad.net/keystone/+bug/1872733 and https://bugs.launchpad.net/keystone/+bug/1872753. If ec2 credentials were created within a trust_id scope, it is still possible to set these credentials' "trust_id" to "null" using: curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{ "credential": { "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}" } }' Note "null" in blob. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1872755/+subscriptions