OpenStack Object Storage (swift)

swauth: illegally obtaining reseller admin credentials via GET v2/account/user call

Asked by Rostik Slipetskyy on 2011-03-28

In swauth user acting as .admin for some account can retrieve data for any user that belong to that account. If it happens that reseller admin is registered in the given account, malicious admin can obtain credentials of .reseller_admin via GET v2/account/reseller-admin call (and then create/delete accounts illegally)

It looks like common/middleware/swauth.py#handle_get_user method should be changed in the following way:
1) .super_admin and .reseller_admin can get info for any user
2) .admin can get info for all users that are not .reseller_admins

Does it make sense?

Question information

Language:: English Edit question

Status:: Answered

For:: OpenStack Object Storage (swift) Edit question

Assignee:: No assignee Edit question

Last query:: 2011-03-28

Last reply:: 2011-04-01

Revision history for this message

gholt (gholt) said on 2011-04-01:

Yes, that makes sense. It just took me a bit. :) Filing a bug.

Can you help with this problem?

Provide an answer of your own, or ask Rostik Slipetskyy for more information if necessary.

To post a message you must log in.

Ask a question

Edit question

OpenStack Object Storage (swift)

swauth: illegally obtaining reseller admin credentials via GET v2/account/user call

Question information

Related bugs

Related FAQ:

Can you help with this problem?

Subscribers