openstack
/
keystone
Code Issues Proposed changes
keystone/releasenotes/notes
History
Colleen Murphy a405e4b71d Fix security issues with EC2 credentials 
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.

1. Disable altering credential owner attributes or metadata

Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.

Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.

2. Respect token roles when creating EC2 credentials

Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.

Conflicts (six removal in  e2d83ae9, pep8 fixes in e2d83ae9):
      keystone/api/credentials.py
      keystone/tests/unit/test_v3_application_credential.py
      keystone/tests/unit/test_v3_credential.py

Conflicts due to flask reorg:
	keystone/api/_shared/EC2_S3_Resource.py
	keystone/api/credentials.py
	keystone/api/users.py
	keystone/tests/unit/test_v3_credential.py

Moved the test_update_credential_non_owner unit test to
CredentialSelfServiceTestCase since in this branch the default policies
are not affected by #1872733.

NOTE: the application credential functional changes, along with its
tests were removed from the stable/pike backport as stable/pike does not
support application credentials.

Change-Id: I39d0d705839fbe31ac518ac9a82959e108cb7c1d
Closes-bug: #1872733
Closes-bug: #1872755
Closes-bug: #1872735
(cherry picked from commit 37e9907a17)
(cherry picked from commit 2f2736ebb2)
(cherry picked from commit 27caafe3daa552663719954f2cd6713dd4493178)
(cherry picked from commit bfba75fc3c5c8f119f74dbf31347e008824a2134)
(cherry picked from commit 53d1ccb8a1)
(cherry picked from commit 6db1bb09a0)
 		2020-06-03 09:54:00 -07:00
..
.placeholder Add reno for release notes management 2015-11-10 16:10:00 -05:00
Assignment_V9_driver-c22be069f7baccb0.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
DomainSpecificRoles-fc5dd2ef74a1442c.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
Role_V9_driver-971c3aae14d9963d.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
V9ResourceDriver-26716f97c0cc1a80.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
add-bootstrap-cli-192500228cc6e574.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
add_password_expires_at_to_user_response-22f14ab629c48bc2.yaml PCI-DSS Adds password_expires_at to API docs 2016-07-22 17:47:27 +00:00
admin_token-a5678d712783c145.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
admin_token-c634ec12fc714255.yaml Disable Admin tokens set to None 2016-02-16 20:00:34 +00:00
bp-allow-expired-f5d845b9601bc1ef.yaml Readability/Typo Fixes in Release Notes 2017-02-08 00:31:19 +00:00
bp-domain-config-as-stable-716ca5ab33c0cc42.yaml Mark the domain config via API as stable 2016-07-08 14:44:30 -07:00
bp-domain-config-default-82e42d946ee7cb43.yaml Fix a typo in core.py and bp-domain-config-default-82e42d946ee7cb43.yaml 2016-09-29 09:25:59 +08:00
bp-manage-migration-c398963a943a89fe.yaml Add expand, data migration and contract logic to keystone-manage 2016-08-18 10:37:56 +01:00
bp-password-expires-validation-4b32fe7032595932.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bp-pci-dss-notifications-808a205a637bac25.yaml Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
bp-pci-dss-password-requirements-api-87bc724b2aa554f7.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bp-pci-dss-query-password-expired-users-a7c96a3843bb9abc.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bp-per-user-auth-plugin-reqs-feb95fd907be4b40.yaml Add MFA Rules Release Note 2017-01-31 22:07:37 +00:00
bp-policy-in-code-722372a27291b9cd.yaml remove default rule 2017-07-12 14:26:51 -04:00
bp-shadow-mapping-06fc7c71a401d707.yaml Fix some typo in releasenotes 2017-02-27 10:14:14 +08:00
bp-support-federated-attr-94084d4073f50280.yaml Fix some typo in releasenotes 2017-02-27 10:14:14 +08:00
bp-url-safe-naming-ad90d6a659f5bf3c.yaml Add support for strict url safe option on new projects and domains 2016-01-19 03:47:31 +00:00
bug-1017606-98313bb4c1edf250.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1490804-de58a9606edb31eb.yaml Add audit IDs to revocation events 2015-12-17 10:46:23 -06:00
bug-1519210-de76097c974f9c93.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
bug-1523369-4d42c841b6e7e54e.yaml Move release note from /keystone/releasenotes to /releasenotes 2017-03-24 16:41:36 -04:00
bug-1524030-ccff6b0ec9d1cbf2.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1535878-change-get_project-permission-e460af1256a2c056.yaml Change get_project permission 2016-02-11 12:21:24 +00:00
bug-1542417-d630b7886bb0b369.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
bug-1547684-911aed68a0d3df17.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1561054-dbe88b552a936a05.yaml Readability/Typo Fixes in Release Notes 2017-02-08 00:31:19 +00:00
bug-1563101-134df5b99ea48f00.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1571878-1bcaea5337905af0.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1582585-a368ac5a252ec84f.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1590587-domain-specific-role-assignment-8f120604a6625852.yaml Project domain must match role domain for assignment 2016-09-07 11:43:53 -07:00
bug-1594482-52a5dd1d8477b694.yaml /services?name=<name> API fails when using list_limit 2016-06-21 14:22:19 -07:00
bug-1611102-e1348cbec9b1110a.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1613466-credential-update-ec2-type-8fb51ff3ad3a449c.yaml Fix credential update to ec2 type 2016-08-23 06:58:03 +00:00
bug-1615014-b30f606a2d202428.yaml Validate rolling upgrade is run in order 2017-06-27 20:54:04 +00:00
bug-1616424-c46ba773f7ac40ae.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1622310-c501cf77437fdfa6.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1636950-8fa1a47fce440977.yaml Fix some typo in releasenotes 2017-02-27 10:14:14 +08:00
bug-1638603-354ee4167e6e.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1641645-516709f9da3de26f.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1641654-8630ce7bcde43a7e.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1641660-f938267e1ec54071.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1641816-8b39f3f73359c778.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1642212-9964dfd3af0184bd.yaml Add --check to keystone-manage db_sync command 2017-02-09 19:45:02 +00:00
bug-1642348-83d4c86ad3984d75.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1642457-4533f9810a8cd927.yaml Handle disk write failure when doing Fernet key rotation 2016-12-26 10:17:01 +08:00
bug-1642687-5497fb56fe86806d.yaml Readability/Typo Fixes in Release Notes 2017-02-08 00:31:19 +00:00
bug-1642687-c7ab1c9be152db20.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1642692-d669c8fcf9e171d9.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1645487-ca22c216ec26cc9b.yaml PCI-DSS Force users to change password upon first use 2017-01-27 18:47:15 +00:00
bug-1649138-c53974f6bb0eab14.yaml Add anonymous bind to get_connection method 2017-01-12 04:02:24 +00:00
bug-1649446-efff94143823755d.yaml listing revoke events should be admin only 2017-01-09 21:12:47 +00:00
bug-1649616-b835d1dac3401e8c.yaml Fixing flushing tokens workflow 2017-07-10 17:10:38 -03:00
bug-1652012-b3aea7c0d5affdb6.yaml Change is_admin_project to False by default 2017-03-03 14:51:23 -06:00
bug-1656076-c4422270f73b43b.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1659730-17834ba2dde668ae.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
bug-1659995-f3e716de743b7291.yaml Revise conf param in releasenotes 2017-03-03 09:58:02 +08:00
bug-1670382-ee851ba4f364d608.yaml Add group_members_are_ids to whitelisted options 2017-03-20 12:09:26 +00:00
bug-1676497-92271e25f642e2de.yaml Differentiate between dpkg and rpm for libssl-dev 2017-03-31 11:27:25 -04:00
bug-1684994-264fb8f182ced180.yaml Clarify LDAP invalid credentials exception 2017-06-29 16:17:06 -05:00
bug-1687593-95e1568291ecd70b.yaml Add a release note for bug 1687593 2017-07-13 22:43:44 +00:00
bug-1696574-15a728396350a95a.yaml Document and add release note for HEAD APIs 2017-06-27 21:15:44 +00:00
bug-1700852-de775d0eb2ddfdd1.yaml Cache list projects and domains for user 2017-08-09 14:45:58 +00:00
bug-1701324-739a31f38037f77b.yaml Remove duplicate roles from federated auth 2017-08-16 15:22:36 +00:00
bug-1702211-abb59adda73fd78e.yaml Add int storage of datetime for password created/expires 2017-08-15 18:34:20 +00:00
bug-1703369-9a901d627a1e0316.yaml fix identity:get_identity_providers typo 2017-07-11 17:51:57 -04:00
bug-1704205-bc0570feeb3ec5c4.yaml Filter users and groups in ldap 2017-08-01 01:18:40 +05:30
bug-1705485-7a1ad17b9cc99b9d.yaml Remove policy for self-service password changes 2017-08-04 13:56:59 +00:00
bug-1718747-50d39fa87bdbb12b.yaml Delete SQL users before deleting domain 2018-02-09 00:19:33 +01:00
bug-1727726-0b47608811a2cd16.yaml Filter users/groups in ldap with whitespaces 2017-11-15 01:09:18 +00:00
bug-1740951-82b7e4bd608742ab.yaml Expose a get_enforcer method for oslo.policy scripts 2018-01-16 17:49:07 +00:00
bug-1753585-7e11213743754999.yaml LDAP attribute names non-case-sensitive 2018-10-02 14:14:38 +00:00
bug-1763824-3d2f5169af9d42f.yaml Fix json schema nullable to add None to ENUM 2018-04-19 13:25:02 +00:00
bug-1801873-0eb9a5ec3e801190.yaml Delete shadow users when domain is deleted 2019-04-05 09:16:25 -07:00
bug-1872733-2377f456a57ad32c.yaml Fix security issues with EC2 credentials 2020-06-03 09:54:00 -07:00
bug-1872735-0989e51d2248ce1e.yaml Fix security issues with EC2 credentials 2020-06-03 09:54:00 -07:00
bug-1872737-f8e1ad3b6705b766.yaml Check timestamp of signed EC2 token request 2020-05-31 22:16:05 -07:00
bug-1872755-2c81d3267b89f124.yaml Fix security issues with EC2 credentials 2020-06-03 09:54:00 -07:00
bug_1526462-df9a3f3974d9040f.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
bug_1543048_and_1668503-7ead4e15faaab778.yaml Support new hashing algorithms for securely storing password hashes 2017-05-18 20:03:25 -05:00
bug_1674415-e8a7345aa2b05ab7.yaml Error messages are not translating with locale. 2017-03-24 20:08:17 +00:00
bug_1688188-256e3572295231a1.yaml Handle auto-generated domains when creating IdPs 2017-07-27 20:20:00 +00:00
bug_1698900-f195125bf341d887.yaml Improve handling of database migration checks 2017-06-19 21:41:26 +00:00
catalog-caching-12f2532cfb71325a.yaml Add release notes for mitaka thus far 2015-11-23 16:29:39 -05:00
catalog_project_id-519f5a70f9f7c4c6.yaml Allow project_id in catalog substitutions 2016-02-15 10:55:23 -06:00
deprecate-endpoint-policy-cfg-option-d018acab72a398a0.yaml fix up release notes, file deprecations under right title 2015-12-14 22:27:47 -05:00
deprecate-memcache-token-persistence-eac88c80147ea241.yaml Mark memcache and memcache_pool token deprecated 2016-01-19 21:45:48 -05:00
deprecate-v2-apis-894284c17be881d2.yaml reorganize mitaka release notes 2016-05-18 17:33:32 +00:00
deprecated-as-of-mitaka-8534e43fa40c1d09.yaml reorganize mitaka release notes 2016-05-18 17:33:32 +00:00
deprecated-as-of-newton-be1d8dbcc6bdc68f.yaml Deprecate keystone.common.kvs 2016-05-12 23:30:15 -07:00
deprecated-as-of-ocata-a5b2f1e3e39f818e.yaml Merge "add additional deprecation warnings for KVS options" 2017-01-28 03:01:05 +00:00
deprecated-as-of-pike-506f9aca91674550.yaml Deprecate (and slate for removal) UUID tokens 2017-02-11 06:01:27 +00:00
enable-filter-idp-d0135f4615178cfc.yaml Support `id` and `enabled` attributes when listing service providers 2016-03-16 13:27:12 -04:00
enable-inherit-on-default-54ac435230261a6a.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
endpoints-from-endpoint_group-project-association-7271fba600322fb6.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
extensions-to-core-a0d270d216d47276.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
federation-group-ids-mapping-6c56120d65a5cb22.yaml Add release notes for mitaka-1 2015-12-01 17:32:49 -05:00
httpd-keystone-d51b7335559b09c8.yaml fix up release notes, file deprecations under right title 2015-12-14 22:27:47 -05:00
identity_driver_new_change_password_method-e8c0e06795bca2d8.yaml PCI-DSS Minimum password age requirements 2016-08-16 21:47:49 +00:00
impl-templated-catalog-1d8f6333726b34f8.yaml Removes KVS catalog backend 2016-01-19 21:26:30 -05:00
implied-roles-026f401adc0f7fb6.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
insecure_reponse-2a168230709bc8e7.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
integrate-osprofiler-ad0e16a542b12899.yaml Fix some typo in releasenotes 2017-02-27 10:14:14 +08:00
is-admin-24b34238c83b3a82.yaml Cleans up code for `is_admin` in tokens 2015-12-07 19:30:37 -03:00
ldap-conn-pool-enabled-90df94652f1ded53.yaml Enable LDAP connection pooling by default 2016-02-26 14:19:10 +00:00
ldap-emulation-91c4d535eb9c3d10.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
list_limit-ldap-support-5d31d51466fc49a6.yaml Add release note for list_limit support 2016-03-18 18:15:41 +03:00
list_role_assignment_names-33aedc1e521230b6.yaml Fix nits in include names patch 2016-01-22 08:25:38 -06:00
mapping_populate-521d92445505b8a3.yaml Add mapping_populate command 2016-08-23 20:52:10 +00:00
migration_squash-f655329ddad7fc2a.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
no-default-domain-2161ada44bf7a3f7.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
notify-on-user-group-membership-8c0136ee0484e255.yaml Add notifications to user/group membership 2016-03-09 17:20:33 +00:00
oauth1-headers-content-type-9a9245d9bbec8f8e.yaml Replace the content type with correct one 2016-08-16 21:26:06 +08:00
oslo.cache-a9ce47bfa8809efa.yaml Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
password-created_at-nullable-b3c284be50d93ef5.yaml Fixes migration where password created_at is nullable 2016-09-01 17:15:47 +00:00
policy_new_federated_projects_for_user-dcd7bd148efef049.yaml Concrete role assignments for federated users 2016-06-29 02:24:03 +00:00
pre-cache-tokens-73450934918af26b.yaml Pre-cache new tokens 2016-08-31 20:14:53 +03:00
projects_as_domains-3ea8a58b4c2965e1.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
python3-support-e4189e0a1a6e2e4f.yaml Add python 3 release note. 2016-05-20 21:54:54 +00:00
remove-trust-auth-support-from-v2-de316c9ba46d556d.yaml Fix release note of removal of v2.0 trusts support 2016-02-11 06:39:26 +00:00
removed-as-of-mitaka-9ff14f87d0b98e7e.yaml Removed deprecated revoke KVS backend 2016-01-25 01:08:15 -08:00
removed-as-of-newton-721c06b5dcb1b34a.yaml remove deprecated revoke_by_expiration function 2016-05-22 14:39:58 +00:00
removed-as-of-ocata-436bb4b839e74494.yaml clean up release notes for ocata 2017-01-27 14:36:54 +00:00
removed-as-of-pike-deadbeefdeadbeef.yaml Remove loading drivers outside of their expected namespaces 2017-05-18 18:08:26 +00:00
request_context-e143ba9c446a5952.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
resource-backend-sql-only-03154d8712b36bd0.yaml Resource backend is SQL only now 2017-08-14 19:00:37 +00:00
revert-v2-token-issued-for-non-default-domain-25ea5337f158ef13.yaml Add release note for revert of c4723550aa 2016-01-17 20:42:36 +00:00
s3-aws-v4-c6cb75ce8d2289d4.yaml Add release notes for mitaka thus far 2015-11-23 16:29:39 -05:00
support_encrypted_credentials_at_rest-93dcb67b3508e91a.yaml Document credential encryption 2016-08-31 21:28:42 +00:00
totp-40d93231714c6a20.yaml Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
use-pyldap-6e811c28bf350d6d.yaml Use PyLDAP instead of python-ldap 2016-05-18 02:38:34 -04:00
v2-dep-d6e7ab2d08119549.yaml Give a prospective removal date for all v2 APIs 2017-02-27 15:27:58 +00:00
v3-endpoints-in-v2-list-b0439816938713d6.yaml Add release notes for mitaka thus far 2015-11-23 16:29:39 -05:00
v9FederationDriver-cbebcf5f97e1eae2.yaml Release note cleanup 2016-03-14 19:04:58 +00:00
x509-auth-df0a229780b8e3ff.yaml Release note cleanup 2016-03-14 19:04:58 +00:00