<div dir="ltr">+1 to Thierry's statement.  I think a CVE makes sense here.<div>-bryan<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 9, 2013 at 1:11 AM, Thierry Carrez <span dir="ltr"><<a href="mailto:thierry@openstack.org" target="_blank">thierry@openstack.org</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<div class="im"><br>
Kurt Seifried wrote:<br>
> The expectation is that disabling tokens/tenants/etc locks people<br>
> out now, not some point in the future. Is there any specific<br>
> documentation covering this?<br>
><br>
> E.g. for Python pickle the main docs for it:<br>
><br>
> <a href="http://docs.python.org/2/library/pickle.html" target="_blank">http://docs.python.org/2/library/pickle.html</a><br>
><br>
> have a giant red warning at the top stating the security risk. Does<br>
> a similar thing exist for OpenStack tokens?<br>
<br>
</div>I'm pretty sure it's not documented as clearly, and I agree that the<br>
default expectation would be that tokens are invalidated when the<br>
tenant is disabled. Keystone makes it difficult to "fix", because it's<br>
a bit baked in the design of the system, so a stronger change is<br>
needed to address that.<br>
<br>
It's probably fair to assign a CVE for this and cover for it in the<br>
OSSN, until we have a better answer to it.<br>
<div class="im"><br>
- --<br>
Thierry Carrez (ttx)<br>
</div>-----BEGIN PGP SIGNATURE-----<br>
<div class="im">Version: GnuPG v1.4.12 (GNU/Linux)<br>
Comment: Using GnuPG with undefined - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iQIcBAEBCAAGBQJSBKQxAAoJEFB6+JAlsQQjRhkP/iy2H91krtVkeIunbaKJo9V0<br>
VU0NODDKV8P3Z8TD94j2f6iJJYzN14OVgbHng4Q6tGKO9Oz5pxyWllILs+clzgwR<br>
7/TLYBOt45WgOgxvZt6MhzWy9SRuA9DxVse8ecWUSngYO566BWWPVKrgLRTu+Oo3<br>
UDzKcqyChw1eaTRwCre5huD0lq67/mBZ2xUa4j21XeO3XJKVZx+gd4RITztueLXg<br>
3RIaaIY/tnMBGyQUTrjsCUSQIuvJHJuOTDejwmIn4Armdr2vxUZwAFD0Zcn3W/su<br>
n08eRgg7zbeTieVqA8flHR2rw7MaMNEJib5NgKVWhLH+pxdqqPWNrA4JE891H/Qk<br>
gPB/aQ5WZsTc/4ZIvUn7qBf3kGtNJiuLx9bNuz+qsr3w3vc0InZWj3E8irVpIuw2<br>
IfFaJ3Gm1MHKzT9QA0QcwwOOHdWlesLKdENiykARWphX3MUwQkicFzlWSxCvC7kY<br>
JiFuqf9INRBIDWZXgdLVBLP3okaAyWuWmERS2je6PwaQ4+On/A7fm7duxgvEDmY7<br>
+RMjitFLaNqX2lL0m1DtuVTUQOa/NK6bsEJ3PvK2U0Y5v4OFOJAnHB97EPvYLMwB<br>
RYucoiYqTD0auGiHiOahWwzB9FdU+oPJT6nUDV+Ji0PgZXArCMu4QNTYD9a8il0V<br>
qV7iEE/6YdM7t9TN4AdA<br>
=+J3A<br>
<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
</div></div></blockquote></div><br></div></div></div>