Open Stack

The service that sought validation of token may need those user-id, domain-id, tenant-id. Alternately, they may already be present in the request.

I am thinking if the only leak point for the token is the log file (it is no more part of the url), then perhaps we should log a hash of it or in some other way obfuscate, render useless, sort of how we "*" password entries or credit card number.
Perhaps in only debug mode display token information in log file. This would be in synch with how we do not provide an exception trace to the user unless debug is set in the web ui.

Regards
Malini
From: Ali, Haneef [mailto:haneef.ali at hp.com]
Sent: Thursday, February 21, 2013 11:35 PM
To: OpenStack Development Mailing List (openstack-dev at lists.openstack.org)
Subject: [openstack-dev] [Keystone] Validate token response -- How can we handle the following security issues?.

I'm still not comfortable with validate token response.  Not sure why do we need to  return tenant/domain/user  identities?


1)      If a hacker gets hold of a valid token (say from a log file), then all he needs to do is , call validate token to get the token owners userid, domain id and tenant id. Using that information he can call DELETE on user. If that user happen to be domain admin, then you can DELTETE domain  and tenant.  How are we going to avoid this?

Thanks
Haneef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130223/9d4854d5/attachment.html>