[Openstack-security] [OSSN][DRAFT] Disabling a tenant does not disable a user token

Bryan D. Payne bdpayne at acm.org
Fri Aug 9 15:41:25 UTC 2013 

+1 to Thierry's statement.  I think a CVE makes sense here.
-bryan


On Fri, Aug 9, 2013 at 1:11 AM, Thierry Carrez <thierry at openstack.org>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Kurt Seifried wrote:
> > The expectation is that disabling tokens/tenants/etc locks people
> > out now, not some point in the future. Is there any specific
> > documentation covering this?
> >
> > E.g. for Python pickle the main docs for it:
> >
> > http://docs.python.org/2/library/pickle.html
> >
> > have a giant red warning at the top stating the security risk. Does
> > a similar thing exist for OpenStack tokens?
>
> I'm pretty sure it's not documented as clearly, and I agree that the
> default expectation would be that tokens are invalidated when the
> tenant is disabled. Keystone makes it difficult to "fix", because it's
> a bit baked in the design of the system, so a stronger change is
> needed to address that.
>
> It's probably fair to assign a CVE for this and cover for it in the
> OSSN, until we have a better answer to it.
>
> - --
> Thierry Carrez (ttx)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSBKQxAAoJEFB6+JAlsQQjRhkP/iy2H91krtVkeIunbaKJo9V0
> VU0NODDKV8P3Z8TD94j2f6iJJYzN14OVgbHng4Q6tGKO9Oz5pxyWllILs+clzgwR
> 7/TLYBOt45WgOgxvZt6MhzWy9SRuA9DxVse8ecWUSngYO566BWWPVKrgLRTu+Oo3
> UDzKcqyChw1eaTRwCre5huD0lq67/mBZ2xUa4j21XeO3XJKVZx+gd4RITztueLXg
> 3RIaaIY/tnMBGyQUTrjsCUSQIuvJHJuOTDejwmIn4Armdr2vxUZwAFD0Zcn3W/su
> n08eRgg7zbeTieVqA8flHR2rw7MaMNEJib5NgKVWhLH+pxdqqPWNrA4JE891H/Qk
> gPB/aQ5WZsTc/4ZIvUn7qBf3kGtNJiuLx9bNuz+qsr3w3vc0InZWj3E8irVpIuw2
> IfFaJ3Gm1MHKzT9QA0QcwwOOHdWlesLKdENiykARWphX3MUwQkicFzlWSxCvC7kY
> JiFuqf9INRBIDWZXgdLVBLP3okaAyWuWmERS2je6PwaQ4+On/A7fm7duxgvEDmY7
> +RMjitFLaNqX2lL0m1DtuVTUQOa/NK6bsEJ3PvK2U0Y5v4OFOJAnHB97EPvYLMwB
> RYucoiYqTD0auGiHiOahWwzB9FdU+oPJT6nUDV+Ji0PgZXArCMu4QNTYD9a8il0V
> qV7iEE/6YdM7t9TN4AdA
> =+J3A
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130809/7c7fa6a7/attachment.html>

More information about the Openstack-security mailing list