[Openstack-security] [Bug 1268751] Related fix proposed to keystone (master)
OpenStack Infra
1268751 at bugs.launchpad.net
Fri Nov 18 18:32:20 UTC 2016
Related fix proposed to branch: master
Review: https://review.openstack.org/399728
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1268751
Title:
Potential token revocation abuse via group membership
Status in OpenStack Identity (keystone):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
If a group is deleted, all tokens for all users that are a member of
that group are revoked. This leads to potential abuse:
1. A group admin adds a user to a group without users knowledge
2. User creates token
3. Admin deletes group.
4. All of the users tokens are revoked.
Admittedly, this abuse must be instigated by a group admin, which is
the global admin in the default policy file, but an alternative policy
file could allow for the delegation of "add user to group" behavior.
In such a system, this could act as a denial of service attack for a
set of users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1268751/+subscriptions
More information about the Openstack-security
mailing list