[Openstack] [OSSG][OSSN] Potential token revocation abuse via group membership

Nathan Kinder nkinder at redhat.com
Wed Apr 2 15:00:31 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Potential token revocation abuse via group membership
- ---

### Summary ###
Deletion of groups in Keystone causes token revocation for group
members.  If group capabilities are delegated to users, they can abuse
those capabilities to maliciously revoke tokens for other users.

### Affected Services / Software ###
Keystone, Grizzly, Havana, Icehouse

### Discussion ###
If a group is deleted from Keystone, all tokens for all users that are
members of that group are revoked.  By adding users to a group without
those users' knowledge and then deleting that group, a group admin can
revoke all of the users' tokens.  While the default policy file gives
the group admin role to global admin, an alternative policy could
delegate the "create_group", "add_user_to_group", and "delete_group"
capabilities to a set of users.  In such a system, those users will also
get a token revocation capability.  Only setups using a custom policy
file in Keystone are affected.

### Recommended Actions ###
Keystone's default policy.json file uses the "admin_required" rule for
the "create_group", "delete_group", and "add_user_to_group"
capabilities.  It is recommended that you use this default configuration
if possible.  Here is an example snippet of a properly configured
policy.json file:

- ---- begin example policy.json snippet ----
    "identity:create_group": "rule:admin_required",
    "identity:delete_group": "rule:admin_required",
    "identity:add_user_to_group": "rule:admin_required",
- ---- end example policy.json snippet ----

If you need to delegate the above capabilities to non-admin users, you
need to take into account that those users will be able to revoke
tokens for other users by performing group deletion operations.  You
should take caution with who you delegate these capabilities to.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0009
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1268751
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTPCYPAAoJEJa+6E7Ri+EV0YwIAIL8cURuvheBXi/A7r2/h+Mv
/WHUEqCR8sxUQip+jiu1nbt7doU0ka7w4LDiAOzclsFN7nOm5SXYVoMWJsuB4pPJ
Rg39BgiH4SP79Zc9MTebXoA0KZCTtbGiR4J1NKVjn5ZXt3cdv4w3sf82aVjv1gGu
MKqB2ffviheqK95UlGs1zrEnmznR9CBYMEP5pkvNa5yfl2itWb0XwJboyTCDFXkH
7tJiZeMEN32x+B+GyzIBOf7Smjd/aIZCdu7/P00Wu9jNC7IFWTHdP3A9gtjXR6Uc
CNJmBnjFP7+b4oqzB8wudM9RdjfCu5GRg9fnS3rdFmHA7l+cwjqpRFy7lS9Vb7E=
=aCej
-----END PGP SIGNATURE-----

More information about the Openstack mailing list