Open Stack

I think it may be worse than this. I think the delegated trust can have
escalated privileges, e.g. be given the admin role even though the user
does not have this. Can you check it?

David

On 01/06/2015 20:26, Jeremy Stanley wrote:
> I've switched this bug to public and added a security tag in case
> someone wants to make sure it's a behavior we have documented clearly
> (in Keystone's docs, deployment manuals, security guide, OSSN,
> wherever).
> 
> ** Changed in: ossa
>        Status: Incomplete => Won't Fix
> 
> ** Description changed:
> 
> - This issue is being treated as a potential security risk under embargo.
> - Please do not make any public mention of embargoed (private) security
> - vulnerabilities before their coordinated publication by the OpenStack
> - Vulnerability Management Team in the form of an official OpenStack
> - Security Advisory. This includes discussion of the bug or associated
> - fixes in public forums such as mailing lists, code review systems and
> - bug trackers. Please also avoid private disclosure to other individuals
> - not already approved for access to this information, and provide this
> - same reminder to those who are made aware of the issue prior to
> - publication. All discussion should remain confined to this private bug
> - report, and any proposed fixes should be added to the bug as
> - attachments.
> - 
>   It seems possible for a service to create a trust using a token supplied
>   by client on an API call.
>   
>   Use-case:
>   
>   1. User uses login/password to get a token from keystone.
>   2. User creates a client of a service providing the token.
>   3. Client uses service API providing the token.
>   4. Service creates a trust allowing it to impersonate the user at any time.
>   5. The trust is created and the user doesn't know about it.
>   
>   Don't know whether it bug or a feature, but it doesn't look legitimate
>   to me.
> 
> ** Information type changed from Private Security to Public
> 
> ** Tags added: security
>