Reviewed: https://review.opendev.org/725912
Committed:
https://git.openstack.org/cgit/openstack/ossa/commit/?id=2548f46b0aff357f6c953b30179b4d8e151e4236
Submitter: Zuul
Branch: master
commit 2548f46b0aff357f6c953b30179b4d8e151e4236
Author: Gage Hugo <gageh...@gmail.com>
Date: Wed May 6 10:57:15 2020 -0500
Add OSSA-2020-004 (CVEs Pending)
Change-Id: Ide28e91b184edab45d22c47661ad6bb6003dd244
Closes-Bug: #1872735
Closes-Bug: #1872733
** Changed in: ossa
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1872735
Title:
EC2 and/or credential endpoints are not protected from a scoped
context
Status in OpenStack Identity (keystone):
In Progress
Status in OpenStack Security Advisory:
Fix Released
Bug description:
Being authorized within a limited scope context, i.e. trust / oauth /
application credential with a limited role, e.g. "monitoring_viewer" or
"viewer", it is still possible to create EC2 credentials. User can auth against
Keystone using EC2 credentials and obtain all project roles
of a trust/oauth/application_credential owner.
I prepared a tool to auth against keyston using ec2 credentials:
https://github.com/kayrus/ec2auth
* auth against keystone using trust/oauth/application_credential credentials
* issue ec2 credentials: "openstack ec2 credentials create"
* authenticate against keystone using ec2 credentials: "ec2auth --access
7522162ced8f4e3eb9502168ef199584 --secret c558d9401a6943bbbb77a83ce910e5a5
--debug"
You'll see that returned token contains all owner roles.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872735/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
