[Openstack-security] [Bug 1299012] Re: V3 api authentication method chaining
OpenStack Infra
1299012 at bugs.launchpad.net
Tue Jun 10 14:30:59 UTC 2014
Reviewed: https://review.openstack.org/84945
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=33fd4cf8b308fd078e632eed9f398b91ed77b35b
Submitter: Jenkins
Branch: master
commit 33fd4cf8b308fd078e632eed9f398b91ed77b35b
Author: guang-yee <guang.yee at hp.com>
Date: Wed Apr 2 21:41:11 2014 -0700
Make sure all the auth plugins agree on the shared identity attributes.
Note: this patch also corrected some of the external auth tests where an
auth request consists of two methods with two different identities.
Closes-Bug: #1299012
Change-Id: I5d7dd42d373879322823b16b215f11a015b734f8
** Changed in: keystone
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1299012
Title:
V3 api authentication method chaining
Status in OpenStack Identity (Keystone):
Fix Committed
Status in OpenStack Security Advisories:
Invalid
Bug description:
When using authentication method chaining for token creation (POST)
in Keystone V3 api , it is possible to use authentication credentials
for two different users . For example, if i have an existing token for
a Demo user, say 6bb934a0120f097a32b5d3cc71f83beb ( created earlier
for demo tenant) and i have a user say 'test131' in admin tenant
Now i can make an authentication call using auth method chaining
{
"auth":{
"identity":{
"methods":[
"password",
"token"
],
"token":{
"id":"6bb934a0120f097a32b5d3cc71f83beb"
},
"password":{
"user":{
"domain":{
"id":"default"
},
"name":"test131",
"password":"test131"
}
}
}
}
}
The call will succeed even though two different users authentication
credentials are used. The generated token will get properties of
test131 user although the expirary date is set by demo user token. If
we change the methods sequence, the generated token will get all
properties from demo users token.
This is an undesired security behaviour - token should not be allowed to generate using credentials from two different users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1299012/+subscriptions
More information about the Openstack-security
mailing list