37e9907a17
This change addresses several issues in the creation and use of EC2/S3 credentials with keystone tokens. 1. Disable altering credential owner attributes or metadata Without this patch, an authenticated user can create an EC2 credential for themself for a project they have a role on, then update the credential to target a user and project completely unrelated to them. In the worst case, this could be the admin user and a project the admin user has a role assignment on. A token granted for an altered credential like this would allow the user to masquerade as the victim user. This patch ensures that when updating a credential, the new form of the credential is one the acting user has access to: if the system admin user is changing the credential, the new user ID or project ID could be anything, but regular users may only change the credential to be one that they still own. Relatedly, when a user uses an application credential or a trust to create an EC2 credential, keystone automatically adds the trust ID or application credential ID as metadata in the EC2 access blob so that it knows how the token can be scoped when it is used. Without this patch, a user who has created a credential in this way can update the access blob to remove or alter this metadata and escalate their privileges to be fully authorized for the trustor's, application credential creator's, or OAuth1 access token authorizor's privileges on the project. This patch fixes the issue by simply disallowing updates to keystone-controlled metadata in the credential. 2. Respect token roles when creating EC2 credentials Without this patch, a trustee, an application credential user, or an OAuth1 access token holder could create an EC2 credential or an application credential using any roles the trustor, application credential creator, or access token authorizor had on the project, regardless of whether the creator had delegated only a limited subset of roles. This was because the trust_id attribute of the EC2 access blob was ignored, and no metadata for the application credential or access token was recorded either. This change ensures that the access delegation resource is recorded in the metadata of the EC2 credential when created and passed to the token provider when used for authentication so that the token provider can look up the correct roles for the request. Change-Id: I39d0d705839fbe31ac518ac9a82959e108cb7c1d Closes-bug: #1872733 Closes-bug: #1872755 Closes-bug: #1872735
32 lines
1.7 KiB
YAML
32 lines
1.7 KiB
YAML
---
|
|
critical:
|
|
- |
|
|
[`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
|
|
Fixed a security issue in which a trustee or an application credential user
|
|
could create an EC2 credential or an application credential that would
|
|
permit them to get a token that elevated their role assignments beyond the
|
|
subset delegated to them in the trust or application credential. A new
|
|
attribute ``app_cred_id`` is now automatically added to the access blob of
|
|
an EC2 credential and the role list in the trust or application credential
|
|
is respected.
|
|
security:
|
|
- |
|
|
[`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
|
|
Fixed a security issue in which a trustee or an application credential user
|
|
could create an EC2 credential or an application credential that would
|
|
permit them to get a token that elevated their role assignments beyond the
|
|
subset delegated to them in the trust or application credential. A new
|
|
attribute ``app_cred_id`` is now automatically added to the access blob of
|
|
an EC2 credential and the role list in the trust or application credential
|
|
is respected.
|
|
fixes:
|
|
- |
|
|
[`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
|
|
Fixed a security issue in which a trustee or an application credential user
|
|
could create an EC2 credential or an application credential that would
|
|
permit them to get a token that elevated their role assignments beyond the
|
|
subset delegated to them in the trust or application credential. A new
|
|
attribute ``app_cred_id`` is now automatically added to the access blob of
|
|
an EC2 credential and the role list in the trust or application credential
|
|
is respected.
|