Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/08/2013 02:43 AM, Thierry Carrez wrote:
> Kurt Seifried wrote:
>> On 08/07/2013 06:33 AM, Clark, Robert Graham wrote:
>>> [DRAFT] - Please Review Disabling a tenant does not disable a 
>>> user token ----
>> [...] I assume this needs a CVE?
> 
> Your call... To me it's more of an explanation of how things work 
> (non-obvious design with potential security implications which need
> to be communicated to users) than a vulnerability... which is why
> this was handled as a security note rather than an advisory.

Well there was

https://lists.launchpad.net/openstack/msg17035.html

and this seems to be a continuation of that problem. The expectation
is that disabling tokens/tenants/etc locks people out now, not some
point in the future. Is there any specific documentation covering this?

E.g. for Python pickle the main docs for it:

http://docs.python.org/2/library/pickle.html

have a giant red warning at the top stating the security risk. Does a
similar thing exist for OpenStack tokens?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSA77+AAoJEBYNRVNeJnmTSPEQAMZFEwEPD4nVHG0gztEeOoKf
hISYKshGNThnCVDwE97JBXMuaA66pVsxRSdX3yylQttPYF/DjJJcY1Ru4N4WYye1
N6sWLq4qMxgHq7VDSEdcAkjncZv0RYlQapQKqaQIxTFi3fGL9pSZh0J+dGE7JzoL
H79EsPV+cEiNszq05ygVHYHuqA9f+niUflGHFHQglPo50rnQoSn0MKgCen7kIFvp
894KLA4yRNHiBSnRb8fkh0Xve70Sa8gF8w6Oa7SJOJtnQFweq644YddGVP5xD6pi
HAVJwEut7ontTG+39Vw5b4FTJoTiO/TBUgKhadS2RWE/dykH4rb+s/kzrmKc8Pw9
D7rYZzP1EZOj9/UpU5C0Oi5iZPiq+AWYqqVkF8zTKpe2QkbNitwuOlM6Njsui6+b
rO/sYrfIIbFDpDcqvit0rMsLsw1hRn39elte3xSZu4zN4LVUH9hPtxHAdheSkA4b
GHRnXNUvZpBpft2/WaYYGSvqzJo4Qa5amKgakJ/rR693D/3d7QK1wdxDCKjjcZGY
/vS9l8jL9BLUBPwjSg1xr4miyhpW0okkGHSGCY2VgoKGZt7mEN9P58+nwB3MvE2z
PYfLWG2B5ONwJRZpaqlzkDlY7aS64s6WLGbZm+oR9um/LlM5jI8v359oh5ywXeqV
RudAUlc/kjAloOPuajYS
=oMew
-----END PGP SIGNATURE-----