[Openstack-security] [Bug 1499555] Re: You can crash keystone or make the DB very slow by assigning many roles
Guang Yee
1499555 at bugs.launchpad.net
Tue Nov 17 17:56:34 UTC 2015
Only admin can perform role assignments so this is not so much as abuse
as putting a safety mechanism in place to help them deal with the
architectural limitations.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1499555
Title:
You can crash keystone or make the DB very slow by assigning many
roles
Status in OpenStack Identity (keystone):
In Progress
Status in OpenStack Security Advisory:
Incomplete
Bug description:
This is applicable for UUID and PKI tokens.
Token table has extra column where we store role information. It is a
blob with 64K limit. Basically we can do the following to fill the
BLOB
Say user is U, and Project is P
for i =1 to 1000 ( or any large number)
role x = create role i with some large name
assign role x for user U and Project P
create a project scoped token for user U
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1499555/+subscriptions
More information about the Openstack-security
mailing list