[Openstack-security] [Bug 1299039] Re: Token Scoping
Malini Bhandaru
malini.k.bhandaru at intel.com
Sat Apr 5 01:11:26 UTC 2014
Seems like horizon login page should take as input a "scope", domain (and even project possibly) to avoid such an issue.
Users are supposed to be unique per domain.
Then we could enforce any subsequent token creation to the domain and
project of the current token. So no more or less harm than the token
already leaked.
Further, we could limit horizon admin uses to only "read-only" on other
domains/projects.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1299039
Title:
Token Scoping
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
In Havana Stable release for both V2.0 an V3,
A scoped token can be used to get another scoped or un-scopped token.
This can be exploited by anyone who has gained access to a scoped
token.
For example,
1. userA is related to two projects: Project1, Project2
2. userA creates tokenA scoped by Project1
3. userA shares the tokenA to a third party (malicious).
4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA.
Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure.
A scoped token should not be allowed to create another scoped token.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1299039/+subscriptions
More information about the Openstack-security
mailing list