[Openstack-security] Hmac keys in Swift tempurl middleware
Chmouel Boudjnah
chmouel at enovance.com
Wed Aug 28 16:39:28 UTC 2013
Alexandra Shulman-Peleg <SHULMANA at il.ibm.com> writes:
> It seems that keeping the keys un-encrypted as part of the account
> info is a security vulnerability which allows anyone who can read the
> account meta data to generate and fake temp urls. Shouldn't we protect
The account meta data is only available to the user owner of the account
(i.e: the one with the role admin or swiftoperator from the
operator_roles settings for keystoneauth) not to anyone else.
There is no account ACL on Swift ATM which would allow someone else to
have access to those headers.
Chmouel.
More information about the Openstack-security
mailing list