OpenStack Identity (keystone)

Unable to remove aws key as normal user

Bug #1245435 reported by Fabien Boucher on 2013-10-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Steven Hardy	OpenStack Identity (keystone) 2014.1 "icehouse"
	Havana	Fix Released	Medium	wanghong	OpenStack Identity (keystone) 2013.2.3

Bug Description

In devstack as normal user I'm able to create a bunch of AWS key pair. But I'm unable to delete those AWS key pair
as normal user. Below are the commands :
fabien@devstack-1:~$ . openrc demo demo
fabien@devstack-1:~/devstack$ keystone ec2-credentials-create
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| access | 11fcd9628779482f9b7971ec0bc69359 |
| secret | 4c7aa22f89ba49ce8de67512abf513df |
| tenant_id | 53f4610540fd4be7938e65f4c9567e25 |
| user_id | 970acc126501440b9bb60b5494b6460c |
+-----------+----------------------------------+
fabien@devstack-1:~/devstack$ keystone ec2-credentials-get --access 11fcd9628779482f9b7971ec0bc69359
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| access | 11fcd9628779482f9b7971ec0bc69359 |
| secret | 4c7aa22f89ba49ce8de67512abf513df |
| tenant_id | 53f4610540fd4be7938e65f4c9567e25 |
| user_id | 970acc126501440b9bb60b5494b6460c |
+-----------+----------------------------------+
fabien@devstack-1:~/devstack$ keystone ec2-credentials-delete --access 11fcd9628779482f9b7971ec0bc69359
Unable to delete credential: Could not find credential, 11fcd9628779482f9b7971ec0bc69359. (HTTP 404)

As admin user the deletion work as expected:
fabien@devstack-1:~$ . openrc admin admin
fabien@devstack-1:~/devstack$ . openrc admin admin
fabien@devstack-1:~/devstack$ keystone ec2-credentials-delete --access 11fcd9628779482f9b7971ec0bc69359
Credential has been deleted.

Is this the normal behavior ?

Revision history for this message

Steven Hardy (shardy) wrote on 2013-10-29:

Confirmed, this is because the non-admin code path is using the non-hashed access ID for the DB lookup:

https://github.com/openstack/keystone/blob/master/keystone/contrib/ec2/controllers.py#L268

Changed in keystone:
assignee:	nobody → Steven Hardy (shardy)
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-29: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/54378

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

Steven Hardy (shardy) wrote on 2013-11-12:

Any chance of a review of the patch above?

It's really demotivating to post patches and have them ignored for weeks, particularly when, as in this case, it's a simple fix for a fairly significant issue. :(

Steven Hardy (shardy) on 2013-11-20

tags:

added: havana-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-22: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/54378
Committed: http://github.com/openstack/keystone/commit/85ca6ac8a7fab14c659673ddf47777badcbcbf04
Submitter: Jenkins
Branch: master

commit 85ca6ac8a7fab14c659673ddf47777badcbcbf04
Author: Steven Hardy <email address hidden>
Date: Tue Oct 29 16:50:17 2013 +0000

Fix issue deleting ec2-credentials as non-admin user

    The ec2tokens controller incorrectly uses the access id, not the
    hashed credential id in _assert_owner, which means that non-admin
    users can't delete their ec2-credentials. Adding the hashing, as
    in _get_credentials fixes the problem. Test added demonstrating
    the issue.

Change-Id: Ifb6e3e10a50541cf21d25880bd74e9aeb6df4f26
Closes-Bug: #1245435

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-12-04

Changed in keystone:
milestone:	none → icehouse-1
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-19: Fix proposed to keystone (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/81492

Dolph Mathews (dolph) on 2014-03-27

Changed in keystone:
importance:	Undecided → Medium

Alan Pevec (apevec) on 2014-03-27

tags:

removed: havana-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-28: Fix merged to keystone (stable/havana)

Reviewed: https://review.openstack.org/81492
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a120f251d0ccba90803952ccf6099e86334c4df9
Submitter: Jenkins
Branch: stable/havana

commit a120f251d0ccba90803952ccf6099e86334c4df9
Author: Steven Hardy <email address hidden>
Date: Tue Oct 29 16:50:17 2013 +0000

Fix issue deleting ec2-credentials as non-admin user

    Change-Id: Ifb6e3e10a50541cf21d25880bd74e9aeb6df4f26
    Closes-Bug: #1245435
    (cherry picked from commit 85ca6ac8a7fab14c659673ddf47777badcbcbf04)

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.