[Openstack-security] [Bug 1299012] Related fix merged to keystone (master)

OpenStack Infra 1299012 at bugs.launchpad.net
Sat Jun 14 18:33:37 UTC 2014 

Reviewed:  https://review.openstack.org/97852
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7f5e120ab8e73fc77360a4adb2f73f2516bae8a0
Submitter: Jenkins
Branch:    master

commit 7f5e120ab8e73fc77360a4adb2f73f2516bae8a0
Author: Morgan Fainberg <morgan.fainberg at gmail.com>
Date:   Wed Jun 4 09:37:12 2014 -0700

    Use translation hints
    
    Use the _LI() function instead of _() for new LOG.info messages.
    
    Change-Id: I6af25a33018e76b321488cacea65885fa597abbf
    Related-Bug: #1299012

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1299012

Title:
  V3 api authentication method chaining

Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  When using authentication method chaining for token creation (POST)
  in Keystone V3 api , it is possible to use authentication credentials
  for two different users . For example, if i have an existing token for
  a Demo user, say 6bb934a0120f097a32b5d3cc71f83beb ( created earlier
  for demo tenant) and i have a user say 'test131' in admin tenant

  Now i can make an authentication call using auth method chaining

  {
     "auth":{
        "identity":{
           "methods":[
              "password",
              "token" 
           ],
          "token":{
              "id":"6bb934a0120f097a32b5d3cc71f83beb"
           },
          "password":{
              "user":{
                 "domain":{
                    "id":"default"
                 },
                 "name":"test131",
                 "password":"test131"
              }
           }
        }
     }
  }

  The call will succeed even though two different users authentication
  credentials are used.  The generated token will get properties of
  test131 user although the expirary date is set by demo user token.  If
  we change the methods sequence, the generated token will get all
  properties from demo users token.

  
  This is an undesired security behaviour - token should not  be allowed to generate using credentials from two different users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1299012/+subscriptions

More information about the Openstack-security mailing list