[Openstack-security] keystone tokens
Thomas Goirand
zigo at debian.org
Wed Oct 23 06:12:29 UTC 2013
On 05/22/2013 08:38 PM, Simo Sorce wrote:
> On Wed, 2013-05-22 at 12:37 +0100, David Chadwick wrote:
>> Two reasons
>>
>> 1. I think that some of your arguments (like long pw) were really
>> unauthenticated not authenticated user arguments which can be used by
>> any attackers, and
>>
>> 2. I think that a cloud service that offers free services to anyone with
>> any email address is not really an authenticated user service, its more
>> like a public service for everyone, where everyone is allowed to go back
>> to their own specific stake in the cloud. So the users have not been
>> identified and authenticated in any real sense. Its an OpenID, level of
>> assurance =1, type of service, where all the cloud can be assured of, is
>> that is it probably the same user every time, but it has no idea of who
>> this user is.
>
> In both cases you can throttle either by IP or by user name.
> I bet there are many other expensive operations a user can perform.
> If there is no throttling a user can simply perform N more operations to
> reach the same load on keystone.
> Unless there is some form of throttling you cannot really defend to this
> kind of DoS attacks.
>
> Simo.
If the above is truth, then I'd find it a very good thing if Keystone
offered this kind of throttling directly as a feature, rather than
relying on service providers to implement it themselves.
Thomas Goirand (zigo)
More information about the Openstack-security
mailing list