[Openstack-security] [Bug 1703369] Re: get_identity_providers policy should be singular

OpenStack Infra 1703369 at bugs.launchpad.net
Fri Jul 21 00:12:57 UTC 2017 

Reviewed:  https://review.openstack.org/485694
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6c96675d63257d7ef2c27c5598c642efa7a25d08
Submitter: Jenkins
Branch:    stable/ocata

commit 6c96675d63257d7ef2c27c5598c642efa7a25d08
Author: Matthew Edmonds <edmondsw at us.ibm.com>
Date:   Mon Jul 10 09:20:18 2017 -0400

    fix identity:get_identity_providers typo
    
    Changes identity:get_identity_providers policy rule to
    identity:get_identity_provider to match what is checked by the code.
    
    Conflicts:
      keystone/common/policies/identity_provider.py
    
    There was a conflict backporting this change since the policy-in-code
    work in new in Pike. The conflict was resolved by removing the
    policy-in-code change and making it manually against the old
    etc/policy.json file.
    
    Change-Id: I0841abd30fd15c034b5836e42a18938634b509b1
    Closes-Bug: #1703369
    (cherry picked from commit b7119637a04d0a07fa6419a407f433c01bbd1db2)


** Changed in: keystone/ocata
       Status: In Progress => Fix Committed

** Changed in: keystone/newton
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1703369

Title:
  get_identity_providers policy should be singular

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) newton series:
  Fix Committed
Status in OpenStack Identity (keystone) ocata series:
  Fix Committed
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Confirmed

Bug description:
  identity:get_identity_providers should be
  identity:get_identity_provider (singular) since a GET is targeted on a
  single provider and the code is setup to check for
  identity:get_identity_provider (singular). See
  https://github.com/openstack/keystone/blob/c7e29560b7bf7a44e44722eea0645bf18ad56af3/keystone/federation/controllers.py#L112

  found in master (pike)

  The ocata default policy.json also has this problem. Unless someone
  manually overrode policy to specify identity:get_identity_provider
  (singular), the result would be that the default rule was actually
  used for that check instead of identity:get_identity_providers. We
  could go back and fix the default policy.json for past releases, but
  the default actually has the same value as
  identity:get_identity_providers, and if nobody has complained it's
  probably safer to just leave it. It is, after all, just defaults there
  and anyone can override by specifying the correct value.

  But we must fix in pike to go along with the shift of policy into
  code. Policy defaults in code definitely need to match up with what
  the code actually checks. There should no longer be any reliance on
  the default rule.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1703369/+subscriptions

More information about the Openstack-security mailing list