[Openstack-security] [OSSN][DRAFT] Disabling a tenant does not disable a user token
Kurt Seifried
kseifried at redhat.com
Thu Aug 8 15:53:35 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/08/2013 02:43 AM, Thierry Carrez wrote:
> Kurt Seifried wrote:
>> On 08/07/2013 06:33 AM, Clark, Robert Graham wrote:
>>> [DRAFT] - Please Review Disabling a tenant does not disable a
>>> user token ----
>> [...] I assume this needs a CVE?
>
> Your call... To me it's more of an explanation of how things work
> (non-obvious design with potential security implications which need
> to be communicated to users) than a vulnerability... which is why
> this was handled as a security note rather than an advisory.
Well there was
https://lists.launchpad.net/openstack/msg17035.html
and this seems to be a continuation of that problem. The expectation
is that disabling tokens/tenants/etc locks people out now, not some
point in the future. Is there any specific documentation covering this?
E.g. for Python pickle the main docs for it:
http://docs.python.org/2/library/pickle.html
have a giant red warning at the top stating the security risk. Does a
similar thing exist for OpenStack tokens?
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJSA77+AAoJEBYNRVNeJnmTSPEQAMZFEwEPD4nVHG0gztEeOoKf
hISYKshGNThnCVDwE97JBXMuaA66pVsxRSdX3yylQttPYF/DjJJcY1Ru4N4WYye1
N6sWLq4qMxgHq7VDSEdcAkjncZv0RYlQapQKqaQIxTFi3fGL9pSZh0J+dGE7JzoL
H79EsPV+cEiNszq05ygVHYHuqA9f+niUflGHFHQglPo50rnQoSn0MKgCen7kIFvp
894KLA4yRNHiBSnRb8fkh0Xve70Sa8gF8w6Oa7SJOJtnQFweq644YddGVP5xD6pi
HAVJwEut7ontTG+39Vw5b4FTJoTiO/TBUgKhadS2RWE/dykH4rb+s/kzrmKc8Pw9
D7rYZzP1EZOj9/UpU5C0Oi5iZPiq+AWYqqVkF8zTKpe2QkbNitwuOlM6Njsui6+b
rO/sYrfIIbFDpDcqvit0rMsLsw1hRn39elte3xSZu4zN4LVUH9hPtxHAdheSkA4b
GHRnXNUvZpBpft2/WaYYGSvqzJo4Qa5amKgakJ/rR693D/3d7QK1wdxDCKjjcZGY
/vS9l8jL9BLUBPwjSg1xr4miyhpW0okkGHSGCY2VgoKGZt7mEN9P58+nwB3MvE2z
PYfLWG2B5ONwJRZpaqlzkDlY7aS64s6WLGbZm+oR9um/LlM5jI8v359oh5ywXeqV
RudAUlc/kjAloOPuajYS
=oMew
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list