[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1703369] Re: get_identity_providers policy should be singular

Reviewed:  https://review.openstack.org/564150
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=93bb571888a1bff4fa1e110356dbf2cb9fb4ee52
Submitter: Zuul
Branch:    master

commit 93bb571888a1bff4fa1e110356dbf2cb9fb4ee52
Author: Radomir Dopieralski <openstack at sheep.art.pl>
Date:   Wed Apr 25 11:37:05 2018 +0200

    Replace all mentions of get_identity_providers with get_identity_provider
    There was a typo in keystone's policy files, and it has been fixed in
    Keystone already, we should also fix it to match.
    Change-Id: I41e4381765f3bfc5988ca235e6cbeb6d1ba62fc2
    Closes-bug: #1703369

** Changed in: horizon
       Status: In Progress => Fix Released

You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.

  get_identity_providers policy should be singular

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) newton series:
  Fix Committed
Status in OpenStack Identity (keystone) ocata series:
  Fix Committed
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  identity:get_identity_providers should be
  identity:get_identity_provider (singular) since a GET is targeted on a
  single provider and the code is setup to check for
  identity:get_identity_provider (singular). See

  found in master (pike)

  The ocata default policy.json also has this problem. Unless someone
  manually overrode policy to specify identity:get_identity_provider
  (singular), the result would be that the default rule was actually
  used for that check instead of identity:get_identity_providers. We
  could go back and fix the default policy.json for past releases, but
  the default actually has the same value as
  identity:get_identity_providers, and if nobody has complained it's
  probably safer to just leave it. It is, after all, just defaults there
  and anyone can override by specifying the correct value.

  But we must fix in pike to go along with the shift of policy into
  code. Policy defaults in code definitely need to match up with what
  the code actually checks. There should no longer be any reliance on
  the default rule.

To manage notifications about this bug go to: