Difference between revisions of "OSSN/OSSN-0083"
Nickthetait (talk | contribs) (initial) |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | __NOTOC__ | ||
| + | |||
== Keystone policy rule "identity:get_identity_providers" was ignored == | == Keystone policy rule "identity:get_identity_providers" was ignored == | ||
| − | https://bugs.launchpad.net/ossn/+bug/1703369 | + | Keystone policy rule "identity:get_identity_providers" was ignored |
| + | --- | ||
| + | |||
| + | === Summary === | ||
| + | A policy rule in Keystone did not behave as intended leading to a less | ||
| + | secure configuration than would be expected. | ||
| + | |||
| + | === Affected Services / Software === | ||
| + | OpenStack Identity Service (Keystone) versions through Mitaka, as well | ||
| + | as Newton (<= 10.0.3), and Ocata (<= 11.0.3). | ||
| + | |||
| + | === Discussion === | ||
| + | Deployments were unaffected by this problem if the default rule was | ||
| + | changed or the "get_identity_providers" rule was manually changed to | ||
| + | be "get_identity_provider" (singular) in keystone's `policy.json`. | ||
| + | |||
| + | A spelling mistake in the default policy configuration caused these | ||
| + | rules to be ignored. As a result operators that attempted to restrict | ||
| + | this API were unlikely to actually enforce it. | ||
| + | |||
| + | === Recommended Actions === | ||
| + | Update Keystone to a minimum version of 12.0.0.0b3. Additionally, this | ||
| + | fix has been backported to Ocata (11.0.3) and Newton (10.0.3). | ||
| + | |||
| + | Fix any lingering rules: `identity:get_identity_providers` should | ||
| + | be changed to `identity:get_identity_provider`. | ||
| + | |||
| + | === Contacts / References === | ||
| + | Author: Nick Tait | ||
| + | |||
| + | This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0083 | ||
| + | |||
| + | Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1703369 | ||
| + | |||
| + | Mailing List : [Security] tag on openstack-dev@lists.openstack.org | ||
| + | |||
| + | OpenStack Security Project : https://launchpad.net/~openstack-ossg | ||
Latest revision as of 13:08, 24 April 2018
Keystone policy rule "identity:get_identity_providers" was ignored
Keystone policy rule "identity:get_identity_providers" was ignored ---
Summary
A policy rule in Keystone did not behave as intended leading to a less secure configuration than would be expected.
Affected Services / Software
OpenStack Identity Service (Keystone) versions through Mitaka, as well as Newton (<= 10.0.3), and Ocata (<= 11.0.3).
Discussion
Deployments were unaffected by this problem if the default rule was changed or the "get_identity_providers" rule was manually changed to be "get_identity_provider" (singular) in keystone's `policy.json`.
A spelling mistake in the default policy configuration caused these rules to be ignored. As a result operators that attempted to restrict this API were unlikely to actually enforce it.
Recommended Actions
Update Keystone to a minimum version of 12.0.0.0b3. Additionally, this fix has been backported to Ocata (11.0.3) and Newton (10.0.3).
Fix any lingering rules: `identity:get_identity_providers` should be changed to `identity:get_identity_provider`.
Contacts / References
Author: Nick Tait
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0083
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1703369
Mailing List : [Security] tag on openstack-dev@lists.openstack.org
OpenStack Security Project : https://launchpad.net/~openstack-ossg
