[Openstack-security] keystone tokens

Thomas Goirand zigo at debian.org
Wed Oct 23 06:12:29 UTC 2013


On 05/22/2013 08:38 PM, Simo Sorce wrote:
> On Wed, 2013-05-22 at 12:37 +0100, David Chadwick wrote:
>> Two reasons
>>
>> 1. I think that some of your arguments (like long pw) were really 
>> unauthenticated not authenticated user arguments which can be used by 
>> any attackers, and
>>
>> 2. I think that a cloud service that offers free services to anyone with 
>> any email address is not really an authenticated user service, its more 
>> like a public service for everyone, where everyone is allowed to go back 
>> to their own specific stake in the cloud. So the users have not been 
>> identified and authenticated in any real sense.  Its an OpenID, level of 
>> assurance =1, type of service, where all the cloud can be assured of, is 
>> that is it probably the same user every time, but it has no idea of who 
>> this user is.
> 
> In both cases you can throttle either by IP or by user name.
> I bet there are many other expensive operations a user can perform.
> If there is no throttling a user can simply perform N more operations to
> reach the same load on keystone.
> Unless there is some form of throttling you cannot really defend to this
> kind of DoS attacks.
> 
> Simo.

If the above is truth, then I'd find it a very good thing if Keystone
offered this kind of throttling directly as a feature, rather than
relying on service providers to implement it themselves.

Thomas Goirand (zigo)





More information about the Openstack-security mailing list