[Openstack-security] keystone tokens
Jeremy Stanley
fungi at yuggoth.org
Wed May 22 15:32:35 UTC 2013
On 2013-05-22 12:37:21 +0100 (+0100), David Chadwick wrote:
> On 22/05/2013 12:00, Clark, Robert Graham wrote:
> > On 22/05/2013 11:03, "David Chadwick" <d.w.chadwick at kent.ac.uk> wrote:
> > > On 22/05/2013 09:14, Kurt Seifried wrote:
[...]
> > > > Also the whole term "authenticated users" has bothered me
> > > > for a long time. It used to be pretty simple, users either
> > > > paid you to get access, or ere given access because they
> > > > were part of the organization (e.g. an employee, a student,
> > > > whatever). So yeah, if someone did something silly you could
> > > > go club them. But now many services have free signups
> > > > (openshift.redhat.com, all you need is a valid email address
> > > > for example) or have massive numbers of users (e.g. a cloud
> > > > provider) that are not vetted, and not heavily invested
> > > > (e.g. I can signup for an account for free at most cloud
> > > > providers, and trigger things like login DoS's without
> > > > spending any money). So "authenticated user" is no longer a
> > > > silver bullet.
[...]
> > > I dont buy into your arguments about authenticated users
> > > causing DOS problems
[...]
> > Can you elaborate on what you "don't buy", is it that
> > authenticated user attacks aren't a problem or that something
> > should be throttling their actions before they interact with
> > keystone?
[...]
> 1. I think that some of your arguments (like long pw) were really
> unauthenticated
[...]
> 2. I think that a cloud service that offers free services to
> anyone with any email address is not really an authenticated user
> service
[...]
Looks to me like you're in violent agreement with the point Kurt was
making. With low/no-investment sign-ups, authenticated users aren't
really authenticated in any useful sense.
--
Jeremy Stanley
More information about the Openstack-security
mailing list