Critical severityNVD Advisory· Published Jun 21, 2019· Updated Aug 6, 2024
CVE-2016-7404
CVE-2016-7404
Description
OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenStack Magnum passes OpenStack credentials into Heat templates, allowing instances to access the user's full API scope.
Vulnerability
Description CVE-2016-7404 is an information disclosure flaw in OpenStack Magnum where the service embeds the creating user's OpenStack credentials directly into Heat orchestration templates used to provision container instances [1]. This occurs because the credentials are intended only for retrieving SSL certificates, but they grant full API access to the user's OpenStack account [1][3].
Attack
Vector and Prerequisites An attacker who gains access to a Magnum-provisioned instance (e.g., through a separate compromise of the container or underlying host) can extract the stored credentials from the Heat template metadata [2]. No additional authentication is needed because the credentials are already embedded; the attacker simply issues API calls using those credentials on behalf of the original Magnum user [1]. The exploit does not require network position beyond access to the affected instance.
Impact
With the extracted credentials, an attacker can perform any API operation the original user is authorized to perform—including creating, deleting, or modifying clusters, clusters templates, and other Magnum resources [1][2]. This effectively escalates a local instance compromise to a full compromise of the user's OpenStack API privileges, potentially leading to data exposure, resource manipulation, or denial of service.
Mitigation
The vulnerability was addressed in commit e93d82e8b3bc19211efd54edc17aebdca50670c1 by introducing a RBAC policy rule ('deny_cluster_user') that restricts operations from the embedded credentials to only those necessary for SSL certificate retrieval [2]. Users should update their Magnum deployment to a version including the fix or implement the policy change as a workaround [3].
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openstack-magnumPyPI | < 5.0.0 | 5.0.0 |
Affected products
4- OpenStack/Magnumdescription
- ghsa-coords3 versionspkg:pypi/openstack-magnumpkg:rpm/suse/openstack-magnum&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/openstack-magnum-doc&distro=SUSE%20OpenStack%20Cloud%207
< 5.0.0+ 2 more
- (no CPE)range: < 5.0.0
- (no CPE)range: < 3.1.2~a0~dev20-9.4
- (no CPE)range: < 3.1.2~a0~dev20-9.3
Patches
1e93d82e8b3bcFix CVE-2016-7404
27 files changed · +171 −75
devstack/lib/magnum+1 −0 modified@@ -204,6 +204,7 @@ function create_magnum_conf { --os-identity-api-version 3 role add \ --user $trustee_domain_admin_id --domain $trustee_domain_id \ admin + iniset $MAGNUM_CONF trust cluster_user_trust True iniset $MAGNUM_CONF trust trustee_domain_name magnum iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
etc/magnum/policy.json+28 −26 modified@@ -4,35 +4,37 @@ "default": "rule:admin_or_owner", "admin_api": "rule:context_is_admin", "admin_or_user": "is_admin:True or user_id:%(user_id)s", + "cluster_user": "user_id:%(trustee_user_id)s", + "deny_cluster_user": "not domain_id:%(trustee_domain_id)s", - "bay:create": "rule:default", - "bay:delete": "rule:default", - "bay:detail": "rule:default", - "bay:get": "rule:default", - "bay:get_all": "rule:default", - "bay:update": "rule:default", + "bay:create": "rule:deny_cluster_user", + "bay:delete": "rule:deny_cluster_user", + "bay:detail": "rule:deny_cluster_user", + "bay:get": "rule:deny_cluster_user", + "bay:get_all": "rule:deny_cluster_user", + "bay:update": "rule:deny_cluster_user", - "baymodel:create": "rule:default", - "baymodel:delete": "rule:default", - "baymodel:detail": "rule:default", - "baymodel:get": "rule:default", - "baymodel:get_all": "rule:default", - "baymodel:update": "rule:default", + "baymodel:create": "rule:deny_cluster_user", + "baymodel:delete": "rule:deny_cluster_user", + "baymodel:detail": "rule:deny_cluster_user", + "baymodel:get": "rule:deny_cluster_user", + "baymodel:get_all": "rule:deny_cluster_user", + "baymodel:update": "rule:deny_cluster_user", "baymodel:publish": "rule:admin_or_owner", - "cluster:create": "rule:default", - "cluster:delete": "rule:default", - "cluster:detail": "rule:default", - "cluster:get": "rule:default", - "cluster:get_all": "rule:default", - "cluster:update": "rule:default", + "cluster:create": "rule:deny_cluster_user", + "cluster:delete": "rule:deny_cluster_user", + "cluster:detail": "rule:deny_cluster_user", + "cluster:get": "rule:deny_cluster_user", + "cluster:get_all": "rule:deny_cluster_user", + "cluster:update": "rule:deny_cluster_user", - "clustertemplate:create": "rule:default", - "clustertemplate:delete": "rule:default", - "clustertemplate:detail": "rule:default", - "clustertemplate:get": "rule:default", - "clustertemplate:get_all": "rule:default", - "clustertemplate:update": "rule:default", + "clustertemplate:create": "rule:deny_cluster_user", + "clustertemplate:delete": "rule:deny_cluster_user", + "clustertemplate:detail": "rule:deny_cluster_user", + "clustertemplate:get": "rule:deny_cluster_user", + "clustertemplate:get_all": "rule:deny_cluster_user", + "clustertemplate:update": "rule:deny_cluster_user", "clustertemplate:publish": "rule:admin_or_owner", "quotas:get": "rule:default", @@ -41,9 +43,9 @@ "quotas:update": "rule:admin_api", "quotas:delete": "rule:admin_api", - "certificate:create": "rule:admin_or_user", - "certificate:get": "rule:admin_or_user", "certificate:rotate_ca": "rule:admin_or_owner", + "certificate:create": "rule:admin_or_user or rule:cluster_user", + "certificate:get": "rule:admin_or_user or rule:cluster_user", "magnum-service:get_all": "rule:admin_api", "stats:get_all": "rule:admin_or_owner"
magnum/common/keystone.py+1 −0 modified@@ -204,6 +204,7 @@ def create_trust(self, trustee_user): project=trustor_project_id, trustee_user=trustee_user, impersonation=True, + delegation_depth=0, role_names=roles) except Exception: LOG.exception(_LE('Failed to create trust'))
magnum/common/policy.py+12 −0 modified@@ -20,6 +20,8 @@ from oslo_policy import policy import pecan +from magnum.common import clients +from magnum.common import context from magnum.common import exception @@ -92,10 +94,20 @@ def enforce(context, rule=None, target=None, if target is None: target = {'project_id': context.project_id, 'user_id': context.user_id} + add_policy_attributes(target) return enforcer.enforce(rule, target, credentials, do_raise=do_raise, exc=exc, *args, **kwargs) +def add_policy_attributes(target): + """Adds extra information for policy enforcement to raw target object""" + admin_context = context.make_admin_context() + admin_osc = clients.OpenStackClients(admin_context) + trustee_domain_id = admin_osc.keystone().trustee_domain_id + target['trustee_domain_id'] = trustee_domain_id + return target + + def enforce_wsgi(api_name, act=None): """This is a decorator to simplify wsgi action policy rule check.
magnum/conductor/handlers/common/trust_manager.py+10 −3 modified@@ -22,15 +22,20 @@ def create_trustee_and_trust(osc, cluster): try: password = utils.generate_password(length=18) + trustee = osc.keystone().create_trustee( - cluster.uuid, + "%s_%s" % (cluster.uuid, cluster.project_id), password, ) + cluster.trustee_username = trustee.name cluster.trustee_user_id = trustee.id cluster.trustee_password = password - trust = osc.keystone().create_trust(trustee.id) + + trust = osc.keystone().create_trust( + cluster.trustee_user_id) cluster.trust_id = trust.id + except Exception: LOG.exception( _LE('Failed to create trustee and trust for Cluster: %s'), @@ -41,9 +46,11 @@ def create_trustee_and_trust(osc, cluster): def delete_trustee_and_trust(osc, context, cluster): try: + kst = osc.keystone() + # The cluster which is upgraded from Liberty doesn't have trust_id if cluster.trust_id: - osc.keystone().delete_trust(context, cluster) + kst.delete_trust(context, cluster) except Exception: # Exceptions are already logged by keystone().delete_trust pass
magnum/conf/trust.py+11 −0 modified@@ -18,6 +18,17 @@ title='Trustee options for the magnum services') trust_opts = [ + cfg.BoolOpt('cluster_user_trust', + default=False, + help=_('This setting controls whether to assign a trust to' + ' the cluster user or not. You will need to set it to' + ' True for clusters with volume_driver=cinder or' + ' registry_enabled=true in the underlying cluster' + ' template to work. This is a potential security risk' + ' since the trust gives instances OpenStack API access' + " to the cluster's project. Note that this setting" + ' does not affect per-cluster trusts assigned to the' + 'Magnum service user.')), cfg.StrOpt('trustee_domain_id', help=_('Id of the domain to create trustee for clusters')), cfg.StrOpt('trustee_domain_name',
magnum/db/sqlalchemy/api.py+16 −1 modified@@ -26,6 +26,8 @@ from sqlalchemy.orm.exc import NoResultFound from sqlalchemy.sql import func +from magnum.common import clients +from magnum.common import context as request_context from magnum.common import exception import magnum.conf from magnum.db import api @@ -122,8 +124,21 @@ def _add_tenant_filters(self, context, query): if context.is_admin and context.all_tenants: return query - if context.project_id: + admin_context = request_context.make_admin_context(all_tenants=True) + osc = clients.OpenStackClients(admin_context) + kst = osc.keystone() + + # User in a regular project (not in the trustee domain) + if context.project_id and context.domain_id != kst.trustee_domain_id: query = query.filter_by(project_id=context.project_id) + # Match project ID component in trustee user's user name against + # cluster's project_id to associate per-cluster trustee users who have + # no project information with the project their clusters/cluster models + # reside in. This is equivalent to the project filtering above. + elif context.domain_id == kst.trustee_domain_id: + user_name = kst.client.users.get(context.user_id).name + user_project = user_name.split('_', 2)[1] + query = query.filter_by(project_id=user_project) else: query = query.filter_by(user_id=context.user_id)
magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh+0 −5 modified@@ -49,11 +49,6 @@ auth_json=$(cat << EOF "password": "$TRUSTEE_PASSWORD" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "$TRUST_ID" - } } } }
magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh+0 −5 modified@@ -71,11 +71,6 @@ auth_json=$(cat << EOF "password": "$TRUSTEE_PASSWORD" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "$TRUST_ID" - } } } }
magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml+1 −1 modified@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml+1 −1 modified@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" KUBE_MASTER_IP="$KUBE_MASTER_IP"
magnum/drivers/common/templates/swarm/fragments/make-cert.py+0 −6 modified@@ -150,19 +150,13 @@ def get_user_token(config): "password": "%(trustee_password)s" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "%(trust_id)s" - } } } } ''' params = { 'trustee_user_id': config['TRUSTEE_USER_ID'], 'trustee_password': config['TRUSTEE_PASSWORD'], - 'trust_id': config['TRUST_ID'] } creds = creds_str % params headers = {'Content-Type': 'application/json'}
magnum/drivers/common/templates/swarm/fragments/write-heat-params-master.yaml+1 −1 modified@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT" WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
magnum/drivers/common/templates/swarm/fragments/write-heat-params-node.yaml+1 −1 modified@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT" WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN"
magnum/drivers/heat/template_def.py+15 −1 modified@@ -21,6 +21,7 @@ from magnum.common import clients from magnum.common import exception import magnum.conf +from magnum.i18n import _LE from magnum.i18n import _LW from requests import exceptions as req_exceptions @@ -245,7 +246,20 @@ def get_params(self, context, cluster_template, cluster, **kwargs): extra_params['trustee_user_id'] = cluster.trustee_user_id extra_params['trustee_username'] = cluster.trustee_username extra_params['trustee_password'] = cluster.trustee_password - extra_params['trust_id'] = cluster.trust_id + + # Only pass trust ID into the template when it is needed. + if (cluster_template.volume_driver == 'rexray' or + cluster_template.registry_enabled): + if CONF.trust.cluster_user_trust: + extra_params['trust_id'] = cluster.trust_id + else: + missing_setting = ('trust/cluster_user_trust = True') + msg = _LE('This cluster can only be created with %s in ' + 'magnum.conf') + raise exception.ConfigInvalid(msg % missing_setting) + else: + extra_params['trust_id'] = "" + extra_params['auth_url'] = context.auth_url return super(BaseTemplateDefinition,
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml+0 −5 modified@@ -66,11 +66,6 @@ write_files: "password": "$TRUSTEE_PASSWORD" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "$TRUST_ID" - } } } }
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml+0 −5 modified@@ -89,11 +89,6 @@ write_files: "password": "$TRUSTEE_PASSWORD" } } - }, - "scope": { - "OS-TRUST:trust": { - "id": "$TRUST_ID" - } } } }
magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml+1 −1 modified@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml+1 −1 modified@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" KUBE_MASTER_IP="$KUBE_MASTER_IP"
magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml+1 −1 modified@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS" EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT"
magnum/tests/base.py+27 −0 modified@@ -26,6 +26,7 @@ import testscenarios from magnum.common import context as magnum_context +from magnum.common import keystone as magnum_keystone from magnum.objects import base as objects_base from magnum.tests import conf_fixture from magnum.tests import fake_notifier @@ -63,11 +64,18 @@ def setUp(self): } } } + + trustee_domain_id = '12345678-9012-3456-7890-123456789abc' + self.context = magnum_context.RequestContext( auth_token_info=token_info, project_id='fake_project', user_id='fake_user') + self.global_mocks = {} + + self.keystone_client = magnum_keystone.KeystoneClientV3(self.context) + self.policy = self.useFixture(policy_fixture.PolicyFixture()) self.useFixture(fixtures.MockPatchObject( @@ -89,9 +97,22 @@ def make_context(*args, **kwargs): p = mock.patch.object(magnum_context, 'make_context', side_effect=make_context) + + self.global_mocks['magnum.common.context.make_context'] = p + + q = mock.patch.object(magnum_keystone.KeystoneClientV3, + 'trustee_domain_id', + return_value=trustee_domain_id) + + self.global_mocks[ + 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id'] = q + self.mock_make_context = p.start() self.addCleanup(p.stop) + self.mock_make_trustee_domain_id = q.start() + self.addCleanup(q.stop) + self.useFixture(conf_fixture.ConfFixture()) self.useFixture(fixtures.NestedTempfile()) @@ -104,6 +125,12 @@ def reset_pecan(): self.addCleanup(reset_pecan) + def start_global(self, name): + self.global_mocks[name].start() + + def stop_global(self, name): + self.global_mocks[name].stop() + def _restore_obj_registry(self): objects_base.MagnumObjectRegistry._registry._obj_classes \ = self._base_test_obj_backup
magnum/tests/unit/common/test_keystone.py+15 −0 modified@@ -55,6 +55,19 @@ def setUp(self): admin_tenant_name='service', group=ksconf.CFG_LEGACY_GROUP) + # Disable global mocking for trustee_domain_id + self.stop_global( + 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id') + + def tearDown(self): + # Re-enable global mocking for trustee_domain_id. We need this because + # mock blows up when trying to stop an already stopped patch (which it + # will do due to the addCleanup() in base.TestCase). + self.start_global( + 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id') + + super(KeystoneClientTest, self).tearDown() + def test_client_with_password(self, mock_ks): self.ctx.is_admin = True ks_client = keystone.KeystoneClientV3(self.ctx) @@ -136,6 +149,7 @@ def test_create_trust_with_all_roles(self, mock_session, mock_ks): ks_client.create_trust(trustee_user='888888') mock_ks.return_value.trusts.create.assert_called_once_with( + delegation_depth=0, trustor_user='123456', project='654321', trustee_user='888888', role_names=['role1', 'role2'], impersonation=True) @@ -152,6 +166,7 @@ def test_create_trust_with_limit_roles(self, mock_session, mock_ks): ks_client.create_trust(trustee_user='888888') mock_ks.return_value.trusts.create.assert_called_once_with( + delegation_depth=0, trustor_user='123456', project='654321', trustee_user='888888', role_names=['role3'], impersonation=True)
magnum/tests/unit/conductor/handlers/common/test_trust_manager.py+2 −1 modified@@ -37,6 +37,7 @@ def test_create_trustee_and_trust(self, mock_generate_password): mock_generate_password.return_value = mock_password mock_cluster = mock.MagicMock() mock_cluster.uuid = 'mock_cluster_uuid' + mock_cluster.project_id = 'mock_cluster_project_id' mock_keystone = mock.MagicMock() mock_trustee = mock.MagicMock() mock_trustee.id = 'mock_trustee_id' @@ -52,7 +53,7 @@ def test_create_trustee_and_trust(self, mock_generate_password): trust_manager.create_trustee_and_trust(self.osc, mock_cluster) mock_keystone.create_trustee.assert_called_once_with( - mock_cluster.uuid, + '%s_%s' % (mock_cluster.uuid, mock_cluster.project_id), mock_password, ) mock_keystone.create_trust.assert_called_once_with(
magnum/tests/unit/conductor/handlers/test_cluster_conductor.py+5 −0 modified@@ -181,6 +181,11 @@ def test_create(self, mock_openstack_client_class, mock_poller.poll_and_check.return_value = loopingcall.LoopingCallDone() mock_heat_poller_class.return_value = mock_poller osc = mock.sentinel.osc + + def return_keystone(): + return self.keystone_client + + osc.keystone = return_keystone mock_openstack_client_class.return_value = osc mock_dr = mock.MagicMock() mock_driver.return_value = mock_dr
magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py+9 −5 modified@@ -191,7 +191,7 @@ def _test_extract_template_definition( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version', @@ -233,6 +233,10 @@ def test_extract_template_definition_with_registry( 'RegionOne', group='docker_registry') + CONF.set_override('cluster_user_trust', + True, + group='trust') + (template_path, definition, env_files) = mock_driver()._extract_template_definition(self.context, @@ -345,7 +349,7 @@ def test_extract_template_definition_only_required( 'ssh_key_name': 'keypair_id', 'tenant_name': 'fake_tenant', 'tls_disabled': False, - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'trustee_domain_id': 'trustee_domain_id', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', @@ -415,7 +419,7 @@ def test_extract_template_definition_coreos_with_disovery( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'cluster_uuid': self.cluster_dict['uuid'], 'magnum_url': self.mock_osc.magnum_url.return_value, @@ -481,7 +485,7 @@ def test_extract_template_definition_coreos_no_discoveryurl( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'cluster_uuid': self.cluster_dict['uuid'], 'magnum_url': self.mock_osc.magnum_url.return_value, @@ -678,7 +682,7 @@ def test_extract_template_definition_without_discovery_url( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'insecure_registry_url': '10.0.0.1:5000', 'kube_version': 'fake-version',
magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py+5 −4 modified@@ -37,6 +37,7 @@ def setUp(self): 'http_proxy': 'http_proxy', 'https_proxy': 'https_proxy', 'no_proxy': 'no_proxy', + 'registry_enabled': False, 'server_type': 'vm', 'volume_driver': 'volume_driver', 'labels': {'rexray_preempt': 'False', @@ -117,7 +118,7 @@ def test_extract_template_definition_all_values( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'volume_driver': 'volume_driver', 'auth_url': 'http://192.168.10.10:5000/v3', 'region_name': self.mock_osc.cinder_region_name.return_value, @@ -171,7 +172,7 @@ def test_extract_template_definition_only_required( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'region_name': self.mock_osc.cinder_region_name.return_value, 'username': 'mesos_user', @@ -227,7 +228,7 @@ def test_extract_template_definition_with_lb( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'volume_driver': 'volume_driver', 'auth_url': 'http://192.168.10.10:5000/v3', 'region_name': self.mock_osc.cinder_region_name.return_value, @@ -285,7 +286,7 @@ def test_extract_template_definition_multi_master( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'volume_driver': 'volume_driver', 'auth_url': 'http://192.168.10.10:5000/v3', 'region_name': self.mock_osc.cinder_region_name.return_value,
magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py+7 −1 modified@@ -74,6 +74,12 @@ def setUp(self): 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 'coe_version': 'fake-version' } + + # We need this due to volume_driver=rexray + CONF.set_override('cluster_user_trust', + True, + group='trust') + osc_patcher = mock.patch('magnum.common.clients.OpenStackClients') self.mock_osc_class = osc_patcher.start() self.addCleanup(osc_patcher.stop) @@ -280,7 +286,7 @@ def test_extract_template_definition_only_required( 'trustee_username': 'fake_trustee', 'trustee_password': 'fake_trustee_password', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', - 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'trust_id': '', 'auth_url': 'http://192.168.10.10:5000/v3', 'swarm_version': 'fake-version', 'swarm_strategy': u'spread',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-793v-r35j-9rp9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-7404ghsaADVISORY
- bugs.launchpad.net/magnum/+bug/1620536ghsax_refsource_MISCWEB
- bugzilla.suse.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/openstack/magnum/commit/e93d82e8b3bc19211efd54edc17aebdca50670c1ghsaWEB
- opendev.org/openstack/magnum/commit/0bb0d6486d6771ee21bbf897a091b1aa59e01b22ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124052053/https://www.securityfocus.com/bid/98467ghsaWEB
- www.securityfocus.com/bid/98467mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.