[Openstack-security] Fw: [openstack-dev] [Keystone] [Swift] Question re. keystone domains

Shohel Ahmed shohel_csdu at yahoo.com
Wed Jul 2 08:16:16 UTC 2014 

Bringing this to OSSG attention. 

The second one seems a security critical assumption. Without input/output validation in keystone/Swift for domain_id or good documentation in place, this assumption can be exploited later on by some attacker to break Swift.


...shohel




On Tuesday, July 1, 2014 10:19 PM, Dolph Mathews <dolph.mathews at gmail.com> wrote:


On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair <alistair.coles at hp.com> wrote:

We have a change [1] under review in Swift to make access control lists compatible with migration to keystone v3 domains. The change makes two assumptions that I’d like to double-check with keystone folks:
> 
>1.      That a project can never move from one domain to another.
We're moving in this direction, at least. In Grizzly and Havana, we made no such restriction. In Icehouse, we introduced such a restriction by default, but it can be disabled. So far, we haven't gotten any complaints about adding the restriction, so maybe we should just add additional help text to the option in our config about why you would never want to disable the restriction, citing how it would break swift?
2.      That the underscore character cannot appear in a valid domain id – more specifically, that the string ‘_unknown’ cannot be confused with a domain id.
That's fairly sound. All of our domain ID's are system-assigned as UUIDs, except for the "default" domain which has an explicit id='default'. We don't do anything to validate the assumption, though.







 
>Are those safe assumptions?
> 
>Thanks,
>Alistair
> 
>[1] https://review.openstack.org/86430
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140702/132d893c/attachment.html>

More information about the Openstack-security mailing list