keystone/releasenotes/notes/bug-1855080-08b28181b7cb2470.yaml
Colleen Murphy 17c337dbdb Fix credential list for project members
Without this patch, project members and readers can list any credentials
with the /v3/credentials API when enforce_scope is false. enforce_scope
is only applicable to project admins due to the admin-ness problem[1],
and this policy is not meant to allow project admins any access to users'
credentials (only system admins should be able to access them). However,
when enforce_scope is false, we need to preserve the old behavior of
project admins being able to list all credentials. This change mitigates
the problem by running the identity:get_credential policy check to
filter out credentials the user does not have access to. This will
impact performance.

Closes-bug: #1855080

[1] https://bugs.launchpad.net/keystone/+bug/968696

Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
2019-12-04 16:42:17 -08:00

24 lines
1.2 KiB
YAML

---
critical:
- |
[`bug 1855080 <https://bugs.launchpad.net/keystone/+bug/1855080>`_]
An error in the policy target filtering inadvertently allowed any user to
list any credential object with the /v3/credentials API when
``[oslo_policy]/enforce_scope`` was set to false, which is the default.
This has been addressed: users with non-admin roles on a project may not
list other users' credentials. However, users with the admin role on a
project may still list any users credentials when
``[oslo_policy]/enforce_scope`` is false due to `bug 968696
<https://bugs.launchpad.net/keystone/+bug/968696>`_.
security:
- |
[`bug 1855080 <https://bugs.launchpad.net/keystone/+bug/1855080>`_]
An error in the policy target filtering inadvertently allowed any user to
list any credential object with the /v3/credentials API when
``[oslo_policy]/enforce_scope`` was set to false, which is the default.
This has been addressed: users with non-admin roles on a project may not
list other users' credentials. However, users with the admin role on a
project may still list any users credentials when
``[oslo_policy]/enforce_scope`` is false due to `bug 968696
<https://bugs.launchpad.net/keystone/+bug/968696>`_.