[Openstack-security] [Bug 1268751] Re: Potential token revocation abuse via group membership
Steve Martinelli
1268751 at bugs.launchpad.net
Mon Aug 1 20:02:37 UTC 2016
Automatically unassigning due to inactivity.
** Changed in: keystone
Assignee: Lance Bragstad (lbragstad) => (unassigned)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1268751
Title:
Potential token revocation abuse via group membership
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
If a group is deleted, all tokens for all users that are a member of
that group are revoked. This leads to potential abuse:
1. A group admin adds a user to a group without users knowledge
2. User creates token
3. Admin deletes group.
4. All of the users tokens are revoked.
Admittedly, this abuse must be instigated by a group admin, which is
the global admin in the default policy file, but an alternative policy
file could allow for the delegation of "add user to group" behavior.
In such a system, this could act as a denial of service attack for a
set of users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1268751/+subscriptions
More information about the Openstack-security
mailing list