OpenStack Identity (keystone)

swift_auth validates the tenant:user acl incorrectly

Bug #963546 reported by Maru Newby
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Maru Newby
OpenStack Identity (keystone) 2012.1 "essex"
keystone (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned

Bug Description

One of Swift's standard authorization checks is whether 'tenant_name:user' is one of the acl's for the resource being accessed. swift_auth fails to authorize allow tenant_name:user, and instead allows tenant_id:user.

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: nobody → Maru Newby (maru)
status: New → In Progress
Revision history for this message
Joseph Heck (heckj) wrote :

Maru - I'm thinking that this should potentially in the list of elements to be backported into RC2/essex release of Keystone. What are you thoughts?

Changed in keystone:
importance: Undecided → High
milestone: none → essex-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/5595
Committed: http://github.com/openstack/keystone/commit/f3af6918639013a5219a6192d5777e9437e20afa
Submitter: Jenkins
Branch: master

commit f3af6918639013a5219a6192d5777e9437e20afa
Author: Maru Newby <email address hidden>
Date: Tue Mar 20 18:47:19 2012 -0700

    Improve swift_auth test coverage + Minor fixes

     * Isolates authorize() tests from wsgi tests
     * Adds coverage for authorize()
     * Adds support for a blank reseller_prefix
     * Adds swift_auth test dependencies to tools/test-requires
     * Cleans up authorize()'s use of tenant_id/tenant_name
       (addresses bug 963546)

    Change-Id: I603b89ab4fe8559b0f5d72528afd659ee0f0bce1

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
Maru Newby (maru) wrote :

Joe: I definitely support the fix for this bug being included in essex.

swift_auth won't be ready for production use until the fixes for this bug, bug 954030, and bug 924578 (the latter two being resolved in https://review.openstack.org/#change,5603) go in. Hopefully fixes for all three can be included with essex to allow out-of-the-box integration between Keystone and Swift.

Thierry Carrez (ttx)
tags: removed: essex-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/6150

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (milestone-proposed)

Reviewed: https://review.openstack.org/6150
Committed: http://github.com/openstack/keystone/commit/8037722264668d9b66326cdfac25f6cf84d2b7d4
Submitter: Jenkins
Branch: milestone-proposed

commit 8037722264668d9b66326cdfac25f6cf84d2b7d4
Author: Maru Newby <email address hidden>
Date: Tue Mar 20 18:47:19 2012 -0700

    Improve swift_auth test coverage + Minor fixes

     * Isolates authorize() tests from wsgi tests
     * Adds coverage for authorize()
     * Adds support for a blank reseller_prefix
     * Adds swift_auth test dependencies to tools/test-requires
     * Cleans up authorize()'s use of tenant_id/tenant_name
       (addresses bug 963546)

    Change-Id: I603b89ab4fe8559b0f5d72528afd659ee0f0bce1

Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: essex-rc2 → 2012.1
Chuck Short (zulcss)
Changed in keystone (Ubuntu Precise):
status: New → Fix Released
Chuck Short (zulcss)
Changed in keystone (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.