[Openstack-security] [Bug 1625619] Re: It is possible to download key pair for other user at the same project

Tristan Cacqueray tdecacqu at redhat.com
Tue Sep 27 14:52:24 UTC 2016


Oops, wrong bug updated. Well now that this is public, I've added
keystone to check that bug.

** Also affects: keystone
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1625619

Title:
  It is possible to download key pair for other user at the same project

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Bug was reproduced in mitaka openstack release.

  Steps to reproduce:

  1. Login to horizon.
  2. Click Project-> Compute -> Access and Security
  3. Click "Key Pairs" tab
  4. Click "Create Key Pair" button, enter keypair name.
  5. On the next screen with download key dialog copy URL from browser URL field

  URL will be like
  http://server/horizon/project/access_and_security/keypairs/<my key
  pair name>/download

  6. Click cancel to close download window.
  7. Click Project->Compute->Instances.
  8. In opened window select other key pair name from KEY PAIR column (it could be key pair for different user)
  9. open new browser window, paste URL string from step 5.
  10. Change in URL <my key pair name> with name obtained from step 8 and press enter

  You will be prompted to download private key for other user.

  It isn't correct user should be able to download only his own keys

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1625619/+subscriptions




More information about the Openstack-security mailing list