[Openstack-security] [Bug 1499555] Re: You can crash keystone or make the DB very slow by assigning many roles
Haneef Ali
1499555 at bugs.launchpad.net
Fri Oct 16 23:02:42 UTC 2015
This is not the question about permission issue.
Basically keystone is having an unbounded list in the backend which can
be exploited by the user. All we need is a simple conf value to guard
against such exploitation.
e.g max roles that can be added to a user = (50). This itself is too
much, but it is better than infinity
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1499555
Title:
You can crash keystone or make the DB very slow by assigning many
roles
Status in Keystone:
Triaged
Status in OpenStack Security Advisory:
Incomplete
Bug description:
This is applicable for UUID and PKI tokens.
Token table has extra column where we store role information. It is a
blob with 64K limit. Basically we can do the following to fill the
BLOB
Say user is U, and Project is P
for i =1 to 1000 ( or any large number)
role x = create role i with some large name
assign role x for user U and Project P
create a project scoped token for user U
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1499555/+subscriptions
More information about the Openstack-security
mailing list