[Openstack-security] [openstack/keystone] SecurityImpact review request change I013ae466d626c0a4737d475e1b42b183a88dbe83
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Mon Oct 21 21:11:12 UTC 2013
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/37119
Log:
commit a204fd5b30a17952a1e603d19bfb78768b64ac63
Author: Simo Sorce <simo at redhat.com>
Date: Mon Oct 21 16:58:01 2013 +1000
Add group key support
A requestor asking for a key for a target identified as a group object
will receive a group_key ticket.
Group keys are temporary keys with a limited timelife and are released
together with a generation number. Multiple keys with different generation
numbers may exist at the same time.
When no valid keys are found or if the only valid key has less than 10 minutes
of lifetime a new key is generated using the next available generation number.
Generation numbers grow monotonically.
Group keys can be retrieved using the get_group_key call only by
requestors belonging to the group. A requestor is considered as belonging
to a group if the first part of the name is the same as the group.
Requestors must specify a valid generation number when requesting a group
key. The generation number is used to create the destination name by
postfixing it to the group name after a colon.
Example:
requestor: scheduler.xyz.example.com
destination: scheduler:123
The requestor is considered part of the scheduler group and asks for
a key of generation number 123. If that key exist it will be returned
encrypted with the requestor's key.
blueprint key-distribution-server
SecurityImpact
Change-Id: I013ae466d626c0a4737d475e1b42b183a88dbe83
Co-Authored-By: Jamie Lennox <jamielennox at redhat.com>
More information about the Openstack-security
mailing list