[Openstack-security] [Bug 1268751] Re: Potential token revocation abuse via group membership
Adam Young
1268751 at bugs.launchpad.net
Wed Mar 2 21:32:24 UTC 2016
This is only a problem when using revoke by ID. It will get cleaned up
as a side effect of going to Fernet and using revocation events. Since
it has hit no-one in the wild, lowering the priority.
** Changed in: keystone
Importance: Wishlist => Low
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1268751
Title:
Potential token revocation abuse via group membership
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
If a group is deleted, all tokens for all users that are a member of
that group are revoked. This leads to potential abuse:
1. A group admin adds a user to a group without users knowledge
2. User creates token
3. Admin deletes group.
4. All of the users tokens are revoked.
Admittedly, this abuse must be instigated by a group admin, which is
the global admin in the default policy file, but an alternative policy
file could allow for the delegation of "add user to group" behavior.
In such a system, this could act as a denial of service attack for a
set of users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1268751/+subscriptions
More information about the Openstack-security
mailing list