[Openstack-security] [Bug 1268751] Related fix merged to keystone (master)

OpenStack Infra 1268751 at bugs.launchpad.net
Tue Nov 29 17:15:43 UTC 2016 

Reviewed:  https://review.openstack.org/399728
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=df721d05bfa4c69f8540d6051912d2430ed06213
Submitter: Jenkins
Branch:    master

commit df721d05bfa4c69f8540d6051912d2430ed06213
Author: “Richard <csravelar at gmail.com>
Date:   Fri Nov 18 18:25:07 2016 +0000

    Don't invalidate all user tokens of roleless group
    
    As discussed in [1], deleting a group invalidates all user tokens
    which can flood the revocation event table if the deleted group
    contained thousands of users in the group. This happens regardless
    of whether the group had any role assignment or not. This patch makes
    it so that only groups that had role assignments to a project or
    domain can then invalidate user tokens, otherwise there is no need
    to revoke each user token because the group was not assigned any form
    of authorization to begin with.
    
    [1]: https://bugs.launchpad.net/keystone/+bug/1268751
    
    Related-Bug: #1268751
    
    Change-Id: I22ad364cb4737df3ed086f78310f75f3099ab4c1

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1268751

Title:
  Potential token revocation abuse via group membership

Status in OpenStack Identity (keystone):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  If a group is deleted, all tokens for all users that are a member of
  that group are revoked.  This leads to potential abuse:

  1.  A group admin adds a user to a group without users knowledge
  2. User creates token
  3. Admin  deletes group.  
  4.  All of the users tokens are revoked.

  Admittedly, this abuse must be instigated by a group admin, which is
  the global admin in the default policy file, but an alternative policy
  file could allow for the delegation of "add user to group" behavior.
  In such a system, this could act as a denial of service attack for a
  set of users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1268751/+subscriptions

More information about the Openstack-security mailing list