17c337dbdb
Without this patch, project members and readers can list any credentials with the /v3/credentials API when enforce_scope is false. enforce_scope is only applicable to project admins due to the admin-ness problem[1], and this policy is not meant to allow project admins any access to users' credentials (only system admins should be able to access them). However, when enforce_scope is false, we need to preserve the old behavior of project admins being able to list all credentials. This change mitigates the problem by running the identity:get_credential policy check to filter out credentials the user does not have access to. This will impact performance. Closes-bug: #1855080 [1] https://bugs.launchpad.net/keystone/+bug/968696 Change-Id: I5dd85a6b8368373a27aef2942a64499d020662ef
24 lines
1.2 KiB
YAML
24 lines
1.2 KiB
YAML
---
|
|
critical:
|
|
- |
|
|
[`bug 1855080 <https://bugs.launchpad.net/keystone/+bug/1855080>`_]
|
|
An error in the policy target filtering inadvertently allowed any user to
|
|
list any credential object with the /v3/credentials API when
|
|
``[oslo_policy]/enforce_scope`` was set to false, which is the default.
|
|
This has been addressed: users with non-admin roles on a project may not
|
|
list other users' credentials. However, users with the admin role on a
|
|
project may still list any users credentials when
|
|
``[oslo_policy]/enforce_scope`` is false due to `bug 968696
|
|
<https://bugs.launchpad.net/keystone/+bug/968696>`_.
|
|
security:
|
|
- |
|
|
[`bug 1855080 <https://bugs.launchpad.net/keystone/+bug/1855080>`_]
|
|
An error in the policy target filtering inadvertently allowed any user to
|
|
list any credential object with the /v3/credentials API when
|
|
``[oslo_policy]/enforce_scope`` was set to false, which is the default.
|
|
This has been addressed: users with non-admin roles on a project may not
|
|
list other users' credentials. However, users with the admin role on a
|
|
project may still list any users credentials when
|
|
``[oslo_policy]/enforce_scope`` is false due to `bug 968696
|
|
<https://bugs.launchpad.net/keystone/+bug/968696>`_.
|