Bug 1189639 – [RFE][keystone]: rescope tokens unscoped to scoped only

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1189639 - [RFE][keystone]: rescope tokens unscoped to scoped only

Summary:	[RFE][keystone]: rescope tokens unscoped to scoped only

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	Upstream M3
Target Release:	7.0 (Kilo)
Assigned To:	Nathan Kinder
QA Contact:	Mike Abrams
Docs Contact:

URL:	https://blueprints.launchpad.net/keys...
Whiteboard:	upstream_milestone_kilo-3 upstream_de...
Keywords:	FutureFeature, OtherQA

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-02-05 09:18 EST by RHOS Integration
Modified:	2016-04-26 09:45 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	openstack-keystone-2015.1.0-1.el7ost
Doc Type:	Enhancement
Doc Text:	The Identity service now allows restriction of re-scoping tokens to only allow unscoped changes to be exchanged for scoped tokens. The Identity service allows for an existing token to be used to obtain a new token via the 'token' authentication method. Previously, a user with a valid token scoped for a project could use that token to obtain another token for a different project that they were authorized for. This allowed for anyone possessing a user's token to have access to any project the user has access to, as opposed to only having access to the project that the token is scoped for. To improve the security properties of scoped tokens, it was desirable to not allow this. A new 'allow_rescope_scoped_token' configuration option is available to allow token rescoping to be retricted. Rescoping of tokens is now only allowed by using an unscoped token to authenticate when this option is enabled.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-08-05 09:20:24 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2015:1548	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2015-08-05 13:07:06 EDT

Groups: None (edit)

Description RHOS Integration 2015-02-05 09:18:14 EST

Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/rescoping.

Description:

Allow only rescoping from unscoped tokens.

Specification URL (additional information):

http://specs.openstack.org/openstack/keystone-specs/specs/kilo/rescoping.html

Comment 7 errata-xmlrpc 2015-08-05 09:20:24 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548

Note You need to log in before you can comment on or make changes to this bug.