[Openstack-security] [Bug 1656076] Re: The keystone server auth plugin methods could mismatch user_id in auth_context
Steve Martinelli
1656076 at bugs.launchpad.net
Fri Jan 13 17:29:53 UTC 2017
** Changed in: keystone/ocata
Assignee: Steve Martinelli (stevemar) => Morgan Fainberg (mdrnstm)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076
Title:
The keystone server auth plugin methods could mismatch user_id in
auth_context
Status in OpenStack Identity (keystone):
In Progress
Status in OpenStack Identity (keystone) mitaka series:
Invalid
Status in OpenStack Identity (keystone) newton series:
Invalid
Status in OpenStack Identity (keystone) ocata series:
In Progress
Bug description:
The keystone server blindly overwrites the auth_context.user_id in
each auth method that is run. This means that the last auth_method
that is run for a given authentication request dictates the user_id.
While this is not exploitable externally without misconfiguration of
the external plugin methods and supporting services, this is a bad
state that could relatively easily result in someone ending up
authenticated with the wrong user_id.
The simplest fix will be to have the for loop in the authentication
controller (that iterates over the methods) to verify the user_id does
not change between auth_methods executed.
https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557
This has been marked as public security for hardening purposes, likely
a "Class D" https://security.openstack.org/vmt-process.html#incident-
report-taxonomy
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions
More information about the Openstack-security
mailing list