[Openstack-security] [Bug 1071815] Re: auth_token middleware does not check if an endpoint is in the service catalog
Morgan Fainberg
morgan.fainberg at gmail.com
Wed Mar 2 16:41:02 UTC 2016
** Project changed: keystone => keystonemiddleware
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1071815
Title:
auth_token middleware does not check if an endpoint is in the service
catalog
Status in keystonemiddleware:
Triaged
Bug description:
We include the catalog in the token, but it is not checked. Thus, a
token that is intended for a subset of the endpoints can be used on
additional endpoints. This prevents a user from creating a token
specific to an endpoint. The comparable mechanism is service tickets
in Kerberos. If a rogue service gets a ticket in Kerberos, it cannot
reuse that ticket elsewhere. WIth the current token scheme, all
tokens on a compromised server are at risk of being abused throughout
an openstack deployment.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1071815/+subscriptions
More information about the Openstack-security
mailing list