Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/07/2013 06:33 AM, Clark, Robert Graham wrote:
> [DRAFT] - Please Review Disabling a tenant does not disable a user
> token ----
> 
> ### Summary ### When a tenant is disabled in Keystone, tokens that
> have been issued to that tenant are not invalidated. This can
> result in users having access to your cloud after you have
> attempted to revoke them.
> 
> ### Affected Services / Software ### Keystone
> 
> ### Discussion ### It appears that Keystone does not purge the
> tokens given out to tenants when a tenant is disabled. In some
> scenarios this could be very important to cloud providers. Take the
> case where a cloud provider must a tenant's access because of some
> legal investigation. Even though the tenant is disabled it would be
> possible for them to terminate VMs / delete Swift files etc. -
> There are many other abuse-cases...
> 
> ### Recommended Actions ### How the tokens are stored depends on
> your cloud deployment. If you deploy using Memcache to back
> Keystone then flushing the cash when disabling a token would
> resolve this issue for you, at the cost of other token lookups
> which are no longer in the cash requiring Keystone interaction.
> 
> It is of course possible to script something to remove tokens from
> any backend DB or cache but there is no 'official' way to do this.
> 
> ### Contacts / References ### Proposed Fix :
> https://review.openstack.org/#/c/39878/ This OSSN :
> https://bugs.launchpad.net/ossn/+bug/1179955 OpenStack Security ML
> : openstack-security at lists.openstack.org OpenStack Security
> Group : https://launchpad.net/~openstack-ossg
> 



I assume this needs a CVE?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSAp5nAAoJEBYNRVNeJnmTQ00P/Reg1qI++oO3USjghHK9GqmM
LG+Hvn5PfPVc1lXL8AvaxxIF1c0mw18mxins1zkzR2DI4p4TnF824M71mmWDTO4r
RbFB55mvgGrq+Zqo4cf07xKLPkRrGdkDFEHIVWeHLc542ERuF8azRI9SxSMXEC17
nDj3naUJSCgsc+FSZfMsy8ODOetUlml43I2YhySFKj9Q2LBs1eHc+0btUli2AFFN
28Nf4DZ/GShEW83x5dhIjbMHQx6HfIJq79cblGwwcnD9nOwepQtyKxWWC19U+x34
Oq4e0HycgsoCwX5eYT9kpEBjEQnkkdgyNBd7u+BGvViaC9b3G7b3tvHuCCGTJZaz
vfkvVKS5SZmQI0TcR4ALV4rF0Hy0N8A8uCtuYbr3RNE9ETLJx0EGtlmpNLQ5dBND
IQzqJZv4qKs/ybMiDwLnwMk2yTeii/cFIPcJmjvDNvUaPU87/UdrZG1DU3pyVGFj
uUWz+EmA+2mEv0MzVUQAHtnRZ5zScyAKYjblmpie3MqMzI3ZGx0yqbynwRr/h4PE
7zTVQdxPV/NUIAtFLay0SSTTDg3LqM/qWyVgddc2nTc+M96pK0ESMXlzXIpxsuE2
uRsmMytpVNbTkwPL9FYkZDYlF8AtRlZoQ6yz0wUCxEpSFLofd+mL6781DcoDhHLZ
6EfJ2MxE7cfYLDz7RmI9
=IALi
-----END PGP SIGNATURE-----