
<div dir="ltr">+1 to Thierry's statement. 狢 think a CVE makes sense here.<div>-bryan<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 9, 2013 at 1:11 AM, Thierry Carrez <span dir="ltr"><<a href="mailto:thierry@openstack.org" target="_blank">thierry@openstack.org</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA256<br>

<div class="im"><br>

Kurt Seifried wrote:<br>

> The expectation is that disabling tokens/tenants/etc locks people<br>

> out now, not some point in the future. Is there any specific<br>

> documentation covering this?<br>

><br>

> E.g. for Python pickle the main docs for it:<br>

><br>

> <a href="http://docs.python.org/2/library/pickle.html" target="_blank">http://docs.python.org/2/library/pickle.html</a><br>

><br>

> have a giant red warning at the top stating the security risk. Does<br>

> a similar thing exist for OpenStack tokens?<br>

<br>

</div>I'm pretty sure it's not documented as clearly, and I agree that the<br>

default expectation would be that tokens are invalidated when the<br>

tenant is disabled. Keystone makes it difficult to "fix", because it's<br>

a bit baked in the design of the system, so a stronger change is<br>

needed to address that.<br>

<br>

It's probably fair to assign a CVE for this and cover for it in the<br>

OSSN, until we have a better answer to it.<br>

<div class="im"><br>

- --<br>

Thierry Carrez (ttx)<br>

</div>-----BEGIN PGP SIGNATURE-----<br>

<div class="im">Version: GnuPG v1.4.12 (GNU/Linux)<br>

Comment: Using GnuPG with undefined - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>

<br>

</div>iQIcBAEBCAAGBQJSBKQxAAoJEFB6+JAlsQQjRhkP/iy2H91krtVkeIunbaKJo9V0<br>

VU0NODDKV8P3Z8TD94j2f6iJJYzN14OVgbHng4Q6tGKO9Oz5pxyWllILs+clzgwR<br>

7/TLYBOt45WgOgxvZt6MhzWy9SRuA9DxVse8ecWUSngYO566BWWPVKrgLRTu+Oo3<br>

UDzKcqyChw1eaTRwCre5huD0lq67/mBZ2xUa4j21XeO3XJKVZx+gd4RITztueLXg<br>

3RIaaIY/tnMBGyQUTrjsCUSQIuvJHJuOTDejwmIn4Armdr2vxUZwAFD0Zcn3W/su<br>

n08eRgg7zbeTieVqA8flHR2rw7MaMNEJib5NgKVWhLH+pxdqqPWNrA4JE891H/Qk<br>

gPB/aQ5WZsTc/4ZIvUn7qBf3kGtNJiuLx9bNuz+qsr3w3vc0InZWj3E8irVpIuw2<br>

IfFaJ3Gm1MHKzT9QA0QcwwOOHdWlesLKdENiykARWphX3MUwQkicFzlWSxCvC7kY<br>

JiFuqf9INRBIDWZXgdLVBLP3okaAyWuWmERS2je6PwaQ4+On/A7fm7duxgvEDmY7<br>

+RMjitFLaNqX2lL0m1DtuVTUQOa/NK6bsEJ3PvK2U0Y5v4OFOJAnHB97EPvYLMwB<br>

RYucoiYqTD0auGiHiOahWwzB9FdU+oPJT6nUDV+Ji0PgZXArCMu4QNTYD9a8il0V<br>

qV7iEE/6YdM7t9TN4AdA<br>

=+J3A<br>

<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>

<br>

_______________________________________________<br>

Openstack-security mailing list<br>

<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>

</div></div></blockquote></div><br></div></div></div>