Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Potential token revocation abuse via group membership
- ---

### Summary ###
Deletion of groups in Keystone causes token revocation for group
members.  If group capabilities are delegated to users, they can abuse
those capabilities to maliciously revoke tokens for other users.

### Affected Services / Software ###
Keystone, Grizzly, Havana, Icehouse

### Discussion ###
If a group is deleted from Keystone, all tokens for all users that are
members of that group are revoked.  By adding users to a group without
those users' knowledge and then deleting that group, a group admin can
revoke all of the users' tokens.  While the default policy file gives
the group admin role to global admin, an alternative policy could
delegate the "create_group", "add_user_to_group", and "delete_group"
capabilities to a set of users.  In such a system, those users will also
get a token revocation capability.  Only setups using a custom policy
file in Keystone are affected.

### Recommended Actions ###
Keystone's default policy.json file uses the "admin_required" rule for
the "create_group", "delete_group", and "add_user_to_group"
capabilities.  It is recommended that you use this default configuration
if possible.  Here is an example snippet of a properly configured
policy.json file:

- ---- begin example policy.json snippet ----
    "identity:create_group": "rule:admin_required",
    "identity:delete_group": "rule:admin_required",
    "identity:add_user_to_group": "rule:admin_required",
- ---- end example policy.json snippet ----

If you need to delegate the above capabilities to non-admin users, you
need to take into account that those users will be able to revoke
tokens for other users by performing group deletion operations.  You
should take caution with who you delegate these capabilities to.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0009
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1268751
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTPCYGAAoJEJa+6E7Ri+EVw+wIAI1RaoIuHf7VAQSI8J/RhUK/
sKmoKUmEq0yDTQwKnbW2X8PMM6t4d4NDV0bSJfrKZYjnIWBNoh0hk3yg4GYytn2s
s8o31ctOhWWOx/EGfnhlm7IrJZ91KmnhrVTLMdSFOQhiIzxa2gyEk0Fw3k6oYlDN
wJWC5NyKKeNpjb7SSoHhifcQ/7FGUJIcd8tnm1KT3vMrK9pUM46Jsb8sdfZ2+8hE
ym3vCSc47t5K/32HFDjiAsfaCKBVIoJeOBOJGOcsQIpuW6GkRB8Ic5n2+EW25Z3O
y5tgwhHZaoTL6K0KlpGHPvVSoeJea09yTL97KqCIcMM89KwNcKvobM2KHgtwqHY=
=i6VA
-----END PGP SIGNATURE-----