[Openstack-security] [Bug 890411] Re: Tenant role conflicts/overlaps can be a security issue

Morgan Fainberg morgan.fainberg at gmail.com
Wed Jun 4 23:05:42 UTC 2014 

This stems from a design decision, and isn't really a bug. This is more
of a lack of a feature. This should be written up as a specification:
https://git.openstack.org/cgit/openstack/keystone-specs and treated like
a new feature.  Marking this bug as "wont fix"

** Changed in: keystone
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/890411

Title:
  Tenant role conflicts/overlaps can be a security issue

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  During the validate token call all the tenant roles (associated with
  the tenant scoped token) are returned to the middle-ware component and
  then passed along in the X_ROLES header to the OS service for
  consumption.  In the case were more than one OS service are bound to
  the same tenant (e.g. Swift and Nova, or Nova 1 and Nova 2),  a user
  with particular role for one service, lets just say  the 'Admin' role
  will now also have the 'Admin' role in the second service.  This is
  because roles are currently only scoped to the tenant level.  The
  middle-ware just takes all returned tenant roles and stuffs them into
  the X_ROLES header regardless of the actual service the middle-ware is
  protecting.  A quick fix to this problem would be to change the
  validate token interfaces (GET/HEAD /tokens/{tokenId}) to require a
  {serviceId} filter... so something like GET
  /tokens/{tokenId}?serviceId={serviceId}.  The Keystone service would
  then only return roles in the response that are tied to that specific
  serviceId.  If the serviceId was not provided, or was invalid, or no
  roles where found for that serviceId, then a 401 would be returned.
  Future Keystone work could consider allowing to filter down to the
  {endpointId}, but for such a change it would require a data model
  change to allow serviceIds to be defined on endpoint references....
  Not to mention more API changes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/890411/+subscriptions

More information about the Openstack-security mailing list