[openstack-dev] [Keystone] Validate token response -- How can we handle the following security issues?.
Ali, Haneef
haneef.ali at hp.com
Fri Feb 22 07:35:05 UTC 2013
I'm still not comfortable with validate token response. Not sure why do we need to return tenant/domain/user identities?
1) If a hacker gets hold of a valid token (say from a log file), then all he needs to do is , call validate token to get the token owners userid, domain id and tenant id. Using that information he can call DELETE on user. If that user happen to be domain admin, then you can DELTETE domain and tenant. How are we going to avoid this?
Thanks
Haneef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130222/8d20f741/attachment.html>
More information about the OpenStack-dev
mailing list