openstack/keystone
Code Issues Proposed changes
e21ea06613
keystone/releasenotes/notes/bug-1872753-e2a934eac919ccde.yaml
Vishakha Agarwal 252c23b1b8 Disable EC2 credentials access_id update 
Without this patch user can alter EC2 credential access_id and user
cannot use it anymore as an ec2 auth token since EC2 credential
access ID is used to calculate an ID of the "credential" [1] and it
doesn't update the EC2 credential ID with new access ID. This leads
to unwanted EC2 credentials stored in database.

As per the discussion of keystone team [2] we decided to block patching
of "access_id" attribute.

[1] 7bb6314e40/keystone/api/users.py (L363)
[2]http://eavesdrop.openstack.org/irclogs/%23openstack-meeting-alt/%23openstack-meeting-alt.2020-05-12.log.html#t2020-05-12T17:45:20

Closes-Bug: #1872753
Change-Id: I1f6ce3927c2881d9a2d7dcda3ccd29e0a82e45a9
2020-05-19 17:35:05 +05:30

9 lines
361 B
YAML
Raw Blame History

---
fixes:
- >
[`bug 1872753 <https://bugs.launchpad.net/keystone/+bug/1872753>`_]
Added validation to the EC2 credential API to prevent altering the ``access_id``
field in the blob attribute. This prevents accidentally orphaning an EC2 credential
resource when an altered ``access_id`` no longer resolves to the credential's
resource ID.
View Git Blame Copy Permalink