Reviewed: https://review.opendev.org/725917
Committed:
https://git.openstack.org/cgit/openstack/ossa/commit/?id=3696964abeeef77b725d452b1cda8c79568d5ad0
Submitter: Zuul
Branch: master
commit 3696964abeeef77b725d452b1cda8c79568d5ad0
Author: Gage Hugo <gageh...@gmail.com>
Date: Wed May 6 11:06:58 2020 -0500
Add OSSA-2020-005 (CVE Pending)
Change-Id: I6b422cc4491d2c785565716ee4d07ca58efcdb0a
Closes-Bug: #1873290
** Changed in: ossa
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1873290
Title:
OAuth1 request token authorize silently ignores roles parameter
Status in OpenStack Identity (keystone):
In Progress
Status in OpenStack Security Advisory:
Fix Released
Bug description:
Sorry for using "trustor" and "trustee" terms in OAuth1 context, but
these terms clearly describe users positions.
OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a
role for an OAuth1 Access Token:
$ openstack request token authorize
usage: openstack request token authorize [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--noindent]
[--prefix PREFIX]
[--max-width <integer>] [--fit-width]
[--print-empty] --request-key
<request-key> --role <role>
openstack request token authorize: error: the following arguments are
required: --request-key, --role
However a specified role is silently ignored and OAuth1 token gets all
OAuth1 "trustor" roles.
https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287
As an OAuth1 "trustor" I expect the "trustee" to have only accepted
roles.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1873290/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
