[Openstack-security] [Bug 1792047] Re: keystone rbacenforcer not populating policy dict with view args

Morgan Fainberg morgan.fainberg at gmail.com
Wed Sep 12 14:57:58 UTC 2018 

The concern is the opposite of exploitable. It can lock keystone's api too
closed. It is security in that sense, it should be a tag I guess.

On Wed, Sep 12, 2018, 08:41 Jeremy Stanley <fungi at yuggoth.org> wrote:

> Is this considered exploitable (class A vulnerability report)? Or should
> it be using the security bugtag to indicate a hardening opportunity
> instead of the Public Security bug type?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https://bugs.launchpad.net/bugs/1792047
>
> Title:
>   keystone rbacenforcer not populating policy dict with view args
>
> Status in OpenStack Identity (keystone):
>   In Progress
> Status in OpenStack Identity (keystone) rocky series:
>   In Progress
> Status in OpenStack Identity (keystone) stein series:
>   In Progress
>
> Bug description:
>   The old @protected decorator pushed the view arguments into the
>   policy_dict for enforcement purposes[0]. This was missed in the new
>   RBACEnforcer.
>
>   [0]
>
> https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions
>

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1792047

Title:
  keystone rbacenforcer not populating policy dict with view args

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) rocky series:
  In Progress
Status in OpenStack Identity (keystone) stein series:
  In Progress

Bug description:
  The old @protected decorator pushed the view arguments into the
  policy_dict for enforcement purposes[0]. This was missed in the new
  RBACEnforcer.

  [0]
  https://github.com/openstack/keystone/blob/294ca38554bb229f66a772e7dba35a5b08a36b20/keystone/common/authorization.py#L152

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1792047/+subscriptions

More information about the Openstack-security mailing list