[Openstack-security] [Bug 1071815] Re: auth_token middleware does not check if an endpoint is in the service catalog
Morgan Fainberg
morgan.fainberg at gmail.com
Wed Oct 24 18:25:39 UTC 2018
This is not part of the scope of keystonemiddleware. We do not deny
based up on the endpoint/catalog.
** Changed in: keystonemiddleware
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1071815
Title:
auth_token middleware does not check if an endpoint is in the service
catalog
Status in keystonemiddleware:
Won't Fix
Bug description:
We include the catalog in the token, but it is not checked. Thus, a
token that is intended for a subset of the endpoints can be used on
additional endpoints. This prevents a user from creating a token
specific to an endpoint. The comparable mechanism is service tickets
in Kerberos. If a rogue service gets a ticket in Kerberos, it cannot
reuse that ticket elsewhere. WIth the current token scheme, all
tokens on a compromised server are at risk of being abused throughout
an openstack deployment.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1071815/+subscriptions
More information about the Openstack-security
mailing list