)]}'
{"id":"openstack%2Fkeystone~987476","triplet_id":"openstack%2Fkeystone~stable%2F2025.2~I7c10c8a52e57e63cb9c66d03d69540abefe5425c","project":"openstack/keystone","branch":"stable/2025.2","topic":"clean-stack-stable/2026.1-stable/2025.2","attention_set":{"27900":{"account":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"last_update":"2026-05-07 12:01:22.000000000","reason":"Added by \u003cGERRIT_ACCOUNT_37598\u003e using the hovercard menu","reason_account":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"}},"14250":{"account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"last_update":"2026-05-07 11:43:19.000000000","reason":"Reviewer was added"},"7414":{"account":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"last_update":"2026-05-07 11:43:29.000000000","reason":"\u003cGERRIT_ACCOUNT_37598\u003e replied on the change","reason_account":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"}}},"removed_from_attention_set":{},"hashtags":[],"change_id":"I7c10c8a52e57e63cb9c66d03d69540abefe5425c","subject":"Enforce app cred project boundary on EC2 credential paths","status":"NEW","created":"2026-05-06 10:53:24.000000000","updated":"2026-05-07 12:01:22.000000000","submit_type":"MERGE_IF_NECESSARY","mergeable":true,"submittable":false,"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"cherry_pick_of_change":986389,"cherry_pick_of_patch_set":3,"meta_rev_id":"02a09c901df70f96e7b6464f22dc2106d2adecbf","_number":987476,"virtual_id_number":987476,"owner":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"actions":{},"labels":{"Verified":{"recommended":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"tag":"autogenerated:zuul:check","value":1,"date":"2026-05-06 12:36:58.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":1,"default_value":0,"optional":true},"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"value":0,"permitted_voting_range":{"min":-2,"max":2},"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-05-06 10:53:24.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"CC"},{"updated":"2026-05-06 12:36:58.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-05-06 14:46:23.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"state":"REVIEWER"},{"updated":"2026-05-07 11:43:19.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"REVIEWER"},{"updated":"2026-05-07 11:43:29.000000000","updated_by":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"reviewer":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"state":"REVIEWER"}],"messages":[{"id":"2094e83e9c08cc0198f08138ea5dfb75fa9536b0","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"date":"2026-05-06 10:53:24.000000000","message":"Patch Set 1: Cherry Picked from branch stable/2026.1.","accounts_in_message":[],"_revision_number":1},{"id":"4a54d4eba4a3ea21eea9d4e76f3691880291021b","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-05-06 12:36:58.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/5abf31bb28f741188f687890e064d5c0\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/36160b0eb31f45199c88c0154be072c8 : SUCCESS in 14m 42s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/484204b303db4dbe8a57542bf1f3bf96 : SUCCESS in 6m 49s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/81d5aa57eef34e27a08168edd0253710 : SUCCESS in 7m 52s\n- openstack-tox-py312 https://zuul.opendev.org/t/openstack/build/e4c1d3ee62a649f697a7cc428b2b3bc8 : SUCCESS in 12m 52s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/50d7a956a6d1413ca4eb160f03f5068a : SUCCESS in 15m 49s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/197f23ce7cf54ca6a269d5c69e141d00 : SUCCESS in 13m 37s\n- grenade https://zuul.opendev.org/t/openstack/build/369f6e08e5644797bd42826535e8b683 : SUCCESS in 1h 00m 15s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/77bb94aec79343dbba6a6f4238c356c2 : SUCCESS in 1h 27m 13s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/34ce3986b4bf4b69a7b3e1ac74fd7c74 : SUCCESS in 18m 47s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/79ddc060fe0f4d9daf2d5583e19646c8 : SUCCESS in 18m 37s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/f1a04bb654bf44c69a775128832ae17e : FAILURE in 15m 11s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/9fa964e098804d5882e425e46a4ae148 : FAILURE in 26m 13s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/45ee0014b2514aada56de206cc73f67c : SUCCESS in 30m 13s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/473d6b2494214b1f9b9fb3e667d07b85 : SUCCESS in 14m 59s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/7f3aeebc201b4ff2a1f18fd78e2d72f6 : SUCCESS in 41m 58s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/8d30e034c32d453e93385ead95a6af35 : SUCCESS in 57m 36s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/f00da7a920024196b7943096342b2404 : FAILURE in 34m 32s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/2f76bc666d4e4f3db6801abf5f47c1cd : FAILURE in 7m 01s (non-voting)","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"d9e18a37888cabdea919c58b24f630fd722aa8b0","revisions":{"d9e18a37888cabdea919c58b24f630fd722aa8b0":{"kind":"REWORK","_number":1,"created":"2026-05-06 10:53:24.000000000","uploader":{"_account_id":37598,"name":"Ivan Anfimov","display_name":"Ivan Anfimov","email":"lazekteam@gmail.com","username":"anfimovir"},"ref":"refs/changes/76/987476/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/76/987476/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/76/987476/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/76/987476/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/76/987476/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/76/987476/1"}}},"commit":{"parents":[{"commit":"3f87f91495d25a14b4ef3a82dc6c9a0cf71f2877","subject":"Block app cred tokens from authorizing OAuth1 requests","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/3f87f91495d25a14b4ef3a82dc6c9a0cf71f2877"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-04-22 11:23:44.000000000","tz":120},"committer":{"name":"Ivan Anfimov","email":"lazekteam@gmail.com","date":"2026-05-06 10:53:24.000000000","tz":0},"subject":"Enforce app cred project boundary on EC2 credential paths","message":"Enforce app cred project boundary on EC2 credential paths\n\nPOST /v3/credentials did not validate that the caller-supplied\nproject_id for an EC2-type credential matched the project of the\nauthenticating application credential. This allowed an attacker\nholding an unrestricted application credential for project A to\ncreate an EC2 credential targeting project B; a subsequent\n/v3/ec2tokens exchange would then issue a Keystone token scoped to\nproject B while still carrying the original app_cred_id, enabling\ncross-project lateral movement within the credential owner\u0027s role\nfootprint.\n\nTwo fixes:\n\n1. credentials.py: after extracting app_cred_id from the token,\n   check that credential[\u0027project_id\u0027] \u003d\u003d app_cred[\u0027project_id\u0027]\n   for EC2-type credentials and raise ForbiddenAction otherwise.\n\n2. EC2_S3_Resource.py: in handle_authenticate(), assert that the\n   stored EC2 credential project_id matches the application\n   credential\u0027s project before issuing the token.\n\nThis issue is orthogonal to CVE-2026-33551 (LP#2142138 / Gerrit\n983655), which blocks restricted application credentials from\ncreating EC2 credentials at all. The project-boundary check is\nabsent regardless of the restricted flag and requires separate\ntreatment.\n\nCloses-Bug: #2149775\nRelated-Bug: #OSPRH-29345\nAssisted-by: claude-sonnet-4-6 \u003cnoreply@anthropic.com\u003e\nChange-Id: I7c10c8a52e57e63cb9c66d03d69540abefe5425c\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n(cherry picked from commit b6fd80996b882890a51f3e2aab41d952d7ff68ae)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/d9e18a37888cabdea919c58b24f630fd722aa8b0"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/d9e18a37888cabdea919c58b24f630fd722aa8b0"}]},"branch":"refs/heads/stable/2025.2","conflicts":{"ours":"3f87f91495d25a14b4ef3a82dc6c9a0cf71f2877","theirs":"60770681b4e4e0b23e048285ec1e82523dc241da","contains_conflicts":false}}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"OK","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY"},{"label":"Workflow","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Verified\u003dMAX","label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Workflow\u003dMAX","label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}