<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10pt"><div id="yiv2135741019"><div><div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt;"><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_4" style=""><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_81" style="font-family: Arial; font-size: 10pt;">Bringing this to OSSG attention. </span></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_4" style="font-size: 10pt; font-family: Arial; background-color: transparent;"><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_89" style="font-size:10pt;"><br clear="none" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18602"
 style=""></span></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_4" style="font-family: Arial; background-color: transparent;"><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_95" style="font-size:10pt;"><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18610" style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 16px;">The second one seems a security critical assumption. Without input/output validation in keystone/Swift for domain_id or good documentation in place, this assumption can be exploited later on by some attacker to break Swift.</span><br clear="none" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18608" style=""></span></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_4" style="font-family: Arial; background-color: transparent;"><span class="yiv2135741019"
 id="yiv2135741019yui_3_16_0_6_1404285875969_101" style="font-size:10pt;"><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_98" style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 16px;"><br clear="none" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18677" style=""></span></span></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_4" style="font-size:16px;background-color:transparent;"><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_106" style="font-family: Arial; font-size: 10pt;"><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_103" style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 16px;">...shohel</span></span></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_4" style="color: rgb(0, 0, 0);
 font-size: 13px; font-family: Arial; background-color: transparent; font-style: normal;"><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_92" style="font-family: Arial; font-size: 10pt;"><br clear="none" class="yiv2135741019" style=""></span></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_4" style="color: rgb(0, 0, 0); font-size: 13px; font-family: Arial; background-color: transparent; font-style: normal;"><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_85" style="font-family: Arial; font-size: 10pt;"><br clear="none" class="yiv2135741019" style=""></span></div><div class="qtdSeparateBR"><br><br></div><div class="yiv2135741019yqt2269990436" id="yiv2135741019yqt72952"><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_4" style="color: rgb(0, 0, 0); font-size: 13px; font-family: Arial; background-color: transparent; font-style: normal;"><span
 class="yiv2135741019" id="yiv2135741019yui_3_16_0_6_1404285875969_70" style="font-family: Arial; font-size: 10pt;">On Tuesday, July 1, 2014 10:19 PM, Dolph Mathews <dolph.mathews@gmail.com> wrote:</span></div><div class="yiv2135741019yahoo_quoted" id="yiv2135741019yui_3_16_0_6_1404285875969_9" style="display: block;"><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17336" style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt;"><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17335" style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17363" style=""><div class="yiv2135741019" id="yiv2135741019" style=""><div class="yiv2135741019" dir="ltr" id="yiv2135741019yui_3_16_0_1_1404285875969_17362" style=""><div
 class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17361" style=""><br clear="none" class="yiv2135741019" style=""><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17368" style="">On Tue, Jul 1, 2014 at 11:20 AM, Coles,
 Alistair <span class="yiv2135741019" dir="ltr" id="yiv2135741019yui_3_16_0_1_1404285875969_17739" style=""><<a rel="nofollow" shape="rect" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17738" ymailto="mailto:alistair.coles@hp.com" target="_blank" href="mailto:alistair.coles@hp.com" style="">alistair.coles@hp.com</a>></span> wrote:<br clear="none" class="yiv2135741019" style="">

<blockquote class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17367" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">





<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17366" lang="EN-US" style="">
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17365" style="">
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17364" style="">We have a change [1] under review in Swift to make access control lists compatible with migration to keystone v3 domains. The change makes two assumptions that I’d like to double-check with keystone folks:<u class="yiv2135741019" style=""></u><u class="yiv2135741019" style=""></u></div>


<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17737" style=""><u class="yiv2135741019" style=""></u> <u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17736" style=""><u class="yiv2135741019" style=""></u><span class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18605" style="">1.<span class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18604" style="font:7.0pt;">     
</span></span><u class="yiv2135741019" style=""></u>That a project can never move from one domain to another.</div></div></div></blockquote><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17369" style="">We're moving in this direction, at least. In Grizzly and Havana, we made no such restriction. In Icehouse, we introduced such a restriction by default, but it can be disabled. So far, we haven't gotten any complaints about adding the restriction, so maybe we should just add additional help text to the option in our config about why you would never want to disable the restriction, citing how it would break swift?</div>

<blockquote class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17373" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17372" lang="EN-US" style=""><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17371" style=""><div class="yiv2135741019" style=""><u class="yiv2135741019" style=""></u><u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17370" style=""><u class="yiv2135741019" style=""></u><span class="yiv2135741019" style="">2.<span class="yiv2135741019" style="font:7.0pt;">     
</span></span><u class="yiv2135741019" style=""></u>That the underscore character cannot appear in a valid domain id – more specifically, that the string ‘_unknown’ cannot be confused with a domain id.</div></div></div></blockquote><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17761" style="">That's fairly sound. All of our domain ID's are system-assigned as UUIDs, except for the "default" domain which has an explicit id='default'. We don't do anything to validate the assumption, though.<br clear="none" class="yiv2135741019" style="">

</div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17761" style=""><br clear="none" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17773" style=""></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17761" style=""><br clear="none" class="yiv2135741019" style=""></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17761" style=""><br clear="none" class="yiv2135741019" style=""></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17761" style=""><br clear="none" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18175" style=""></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17761" style=""><br clear="none" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18177" style=""></div><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17761" style=""><br clear="none"
 class="yiv2135741019" style=""></div><blockquote class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17765" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17764" lang="EN-US" style=""><div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17763" style=""><div class="yiv2135741019" style=""><u class="yiv2135741019" style=""></u><u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17762" style=""><u class="yiv2135741019" style=""></u> <u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17766" style="">Are those safe assumptions?<u class="yiv2135741019" style=""></u><u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17767" style=""><u class="yiv2135741019" style=""></u> <u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_17768" style="">Thanks,<u class="yiv2135741019" style=""></u><u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18178" style="">Alistair<u class="yiv2135741019" style=""></u><u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18600" style=""><u class="yiv2135741019" style=""></u> <u class="yiv2135741019" style=""></u></div>
<div class="yiv2135741019" style="">[1] <a rel="nofollow" shape="rect" class="yiv2135741019" target="_blank" href="https://review.openstack.org/86430" style="">https://review.openstack.org/86430</a><u class="yiv2135741019" style=""></u><u class="yiv2135741019" style=""></u></div>
</div>
</div>

<br clear="none" class="yiv2135741019" style="">_______________________________________________<br clear="none" class="yiv2135741019" style="">
OpenStack-dev mailing list<br clear="none" class="yiv2135741019" style="">
<a rel="nofollow" shape="rect" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18180" ymailto="mailto:OpenStack-dev@lists.openstack.org" target="_blank" href="mailto:OpenStack-dev@lists.openstack.org" style="">OpenStack-dev@lists.openstack.org</a><br clear="none" class="yiv2135741019" style="">
<a rel="nofollow" shape="rect" class="yiv2135741019" target="_blank" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" style="">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br clear="none" class="yiv2135741019" style="">
<br clear="none" class="yiv2135741019" style=""></blockquote></div><br clear="none" class="yiv2135741019" style=""></div></div></div><br clear="none" class="yiv2135741019" style="">_______________________________________________<br clear="none" class="yiv2135741019" style="">OpenStack-dev mailing list<br clear="none" class="yiv2135741019" style=""><a rel="nofollow" shape="rect" class="yiv2135741019" ymailto="mailto:OpenStack-dev@lists.openstack.org" target="_blank" href="mailto:OpenStack-dev@lists.openstack.org" style="">OpenStack-dev@lists.openstack.org</a><br clear="none" class="yiv2135741019" style=""><a rel="nofollow" shape="rect" class="yiv2135741019" id="yiv2135741019yui_3_16_0_1_1404285875969_18179" target="_blank" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" style="">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br clear="none" class="yiv2135741019" style=""><br clear="none"
 class="yiv2135741019" style=""><br clear="none" class="yiv2135741019" style=""></div>  </div> </div>  </div></div> </div></div></div></div></body></html>