EC2 token creation no longer possible for admin

Bug #1263804 reported by Dirk Mueller
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Guang Yee

Bug Description

with the security fix for "[OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391)", Bug #1242597, it is no longer possible to create ec2 credentials with just admin service token + service endpoint.

Log file gives:

2013-12-23 22:13:12.197 22611 WARNING keystone.common.wsgi [-] Authorization failed. Could not find token, 120726431688. from 192.168.226.81

where 120... is the admin token.

Revision history for this message
Steven Hardy (shardy) wrote :

IMO this is a feature not a bug - the service admin token shouldn't be associated with ec2 credentials like this, you should request a token as a real user and create the ec2 credentials as that user.

Can you expand on the use-case for this?

Seems like another security hole in the making to me, since you're creating (non expiring) credentials, which can be trivially used by any admin (any user with admin role in any project, not just the service admin token) to gain all the roles of the trustor, not only those delegated, defeating the entire point of trusts in all environments which enable the ec2tokens extension.

Also, when considering this issue, please bear in mind bug #968696 - the fact that admin role gives admin everywhere is a bug (a really bad one, specific to keystone), so IMO we should not perpetuate that wrong assumption by allowing code to circumvent delegation restrictions just because the user has the admin role.

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

I would like to also know the actual usecase for this configuration. I am concerned about the security implications.

Changed in keystone:
status: New → Incomplete
Adam Young (ayoung)
Changed in keystone:
status: Incomplete → Confirmed
assignee: nobody → Adam Young (ayoung)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/69007

Changed in keystone:
status: Confirmed → In Progress
Changed in keystone:
assignee: Adam Young (ayoung) → Guang Yee (guang-yee)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/70847
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b5ab8fe9d63dd65786dd13adee2a6dd25b7c483a
Submitter: Jenkins
Branch: master

commit b5ab8fe9d63dd65786dd13adee2a6dd25b7c483a
Author: guang-yee <email address hidden>
Date: Mon Feb 3 13:17:34 2014 -0800

    allow create credential with the system admin token

    We are looking up trust_id during create credential, which means caller must
    use a Keystone-issued token. This is unrealistic as create credential are
    often done as part of bootstrap, using the static system admin token.
    Furthermore, deployments which using external authorization will break as it
    may not have a token_id in the request context.

    For the above reasons, we'll skip trust_id lookup if the request token_id is
    either absent or it is the static system admin token.

    closes bug 1275145
    closes bug 1263804

    Change-Id: I6cda3c5f36c9754ab84e28ff9a9289887d6c9b77

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
David Comay (comay) wrote :

As 1242597 was backported to Havana and Grizzly, are there plans to backport this fix as well? Alternatively, what's the recommended workaround for those releases?

Thierry Carrez (ttx)
Changed in keystone:
milestone: none → icehouse-rc1
status: Fix Committed → Fix Released
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.