[Openstack-security] [OSSN][DRAFT] Disabling a tenant does not disable a user token

Thierry Carrez thierry at openstack.org
Fri Aug 9 08:11:32 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kurt Seifried wrote:
> The expectation is that disabling tokens/tenants/etc locks people
> out now, not some point in the future. Is there any specific
> documentation covering this?
> 
> E.g. for Python pickle the main docs for it:
> 
> http://docs.python.org/2/library/pickle.html
> 
> have a giant red warning at the top stating the security risk. Does
> a similar thing exist for OpenStack tokens?

I'm pretty sure it's not documented as clearly, and I agree that the
default expectation would be that tokens are invalidated when the
tenant is disabled. Keystone makes it difficult to "fix", because it's
a bit baked in the design of the system, so a stronger change is
needed to address that.

It's probably fair to assign a CVE for this and cover for it in the
OSSN, until we have a better answer to it.

- -- 
Thierry Carrez (ttx)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBKQxAAoJEFB6+JAlsQQjRhkP/iy2H91krtVkeIunbaKJo9V0
VU0NODDKV8P3Z8TD94j2f6iJJYzN14OVgbHng4Q6tGKO9Oz5pxyWllILs+clzgwR
7/TLYBOt45WgOgxvZt6MhzWy9SRuA9DxVse8ecWUSngYO566BWWPVKrgLRTu+Oo3
UDzKcqyChw1eaTRwCre5huD0lq67/mBZ2xUa4j21XeO3XJKVZx+gd4RITztueLXg
3RIaaIY/tnMBGyQUTrjsCUSQIuvJHJuOTDejwmIn4Armdr2vxUZwAFD0Zcn3W/su
n08eRgg7zbeTieVqA8flHR2rw7MaMNEJib5NgKVWhLH+pxdqqPWNrA4JE891H/Qk
gPB/aQ5WZsTc/4ZIvUn7qBf3kGtNJiuLx9bNuz+qsr3w3vc0InZWj3E8irVpIuw2
IfFaJ3Gm1MHKzT9QA0QcwwOOHdWlesLKdENiykARWphX3MUwQkicFzlWSxCvC7kY
JiFuqf9INRBIDWZXgdLVBLP3okaAyWuWmERS2je6PwaQ4+On/A7fm7duxgvEDmY7
+RMjitFLaNqX2lL0m1DtuVTUQOa/NK6bsEJ3PvK2U0Y5v4OFOJAnHB97EPvYLMwB
RYucoiYqTD0auGiHiOahWwzB9FdU+oPJT6nUDV+Ji0PgZXArCMu4QNTYD9a8il0V
qV7iEE/6YdM7t9TN4AdA
=+J3A
-----END PGP SIGNATURE-----




More information about the Openstack-security mailing list