[Openstack-security] Fw: [openstack-dev] [Keystone] [Swift] Question re. keystone domains

Clark, Robert Graham robert.clark at hp.com
Wed Jul 2 18:14:46 UTC 2014 

It's ugly from a design point of view, unless Keystone had some call
that Swift could make to _verify_ what is, or isn't restricted - which
would decouple the security assumption somewhat but introduce more
complexity into Keystone of course.

^ Not suggesting that's sensible but better than just hoping/assuming
Keystone is configured the way you expect it to be.

-Rob

> -----Original Message-----
> From: Nathan Kinder [mailto:nkinder at redhat.com]
> Sent: 02 July 2014 16:17
> To: openstack-security at lists.openstack.org
> Subject: Re: [Openstack-security] Fw: [openstack-dev] [Keystone]
[Swift]
> Question re. keystone domains
> 
> 
> 
> On 07/02/2014 01:16 AM, Shohel Ahmed wrote:
> > Bringing this to OSSG attention.
> >
> > The second one seems a security critical assumption. Without
> > input/output validation in keystone/Swift for domain_id or good
> > documentation in place, this assumption can be exploited later on by
> > some attacker to break Swift.
> 
> Yeah, I'm a bit concerned as well.  Making assumptions about the
domain
> names that are allowed is bad.  If there is a need for a special
string that
> can't be used for a valid domain, Keystone should enforce that
restriction.
> That said, I haven't looked at the proposed Swift changes in detail
yet to
> fully understand the approach.
> 
> -NGK
> 
> >
> > ...shohel
> >
> >
> >
> >
> > On Tuesday, July 1, 2014 10:19 PM, Dolph Mathews
> > <dolph.mathews at gmail.com> wrote:
> >
> > On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair
> > <alistair.coles at hp.com <mailto:alistair.coles at hp.com>> wrote:
> >
> >     We have a change [1] under review in Swift to make access
control
> >     lists compatible with migration to keystone v3 domains. The
change
> >     makes two assumptions that I'd like to double-check with
keystone
> >     folks:____
> >     __ __
> >     __1.      __That a project can never move from one domain to
another.
> >
> > We're moving in this direction, at least. In Grizzly and Havana, we
> > made no such restriction. In Icehouse, we introduced such a
> > restriction by default, but it can be disabled. So far, we haven't
> > gotten any complaints about adding the restriction, so maybe we
should
> > just add additional help text to the option in our config about why
> > you would never want to disable the restriction, citing how it would
break
> swift?
> >
> >     ____
> >     __2.      __That the underscore character cannot appear in a
valid
> >     domain id - more specifically, that the string '_unknown' cannot
be
> >     confused with a domain id.
> >
> > That's fairly sound. All of our domain ID's are system-assigned as
> > UUIDs, except for the "default" domain which has an explicit
> > id='default'. We don't do anything to validate the assumption,
though.
> >
> >
> >
> >
> >
> >
> >     ____
> >     __ __
> >     Are those safe assumptions?____
> >     __ __
> >     Thanks,____
> >     Alistair____
> >     __ __
> >     [1] https://review.openstack.org/86430____
> >
> >     _______________________________________________
> >     OpenStack-dev mailing list
> >     OpenStack-dev at lists.openstack.org
> >     <mailto:OpenStack-dev at lists.openstack.org>
> >
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > <mailto:OpenStack-dev at lists.openstack.org>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> >
> >
> > _______________________________________________
> > Openstack-security mailing list
> > Openstack-security at lists.openstack.org
> >
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> >
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140702/5b830526/attachment.bin>

More information about the Openstack-security mailing list