EC2 token creation no longer possible for admin
Bug #1263804 reported by
Dirk Mueller
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Guang Yee |
Bug Description
with the security fix for "[OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391)", Bug #1242597, it is no longer possible to create ec2 credentials with just admin service token + service endpoint.
Log file gives:
2013-12-23 22:13:12.197 22611 WARNING keystone.
where 120... is the admin token.
Changed in keystone: | |
status: | Incomplete → Confirmed |
assignee: | nobody → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Guang Yee (guang-yee) |
Changed in keystone: | |
milestone: | none → icehouse-rc1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | icehouse-rc1 → 2014.1 |
To post a comment you must log in.
IMO this is a feature not a bug - the service admin token shouldn't be associated with ec2 credentials like this, you should request a token as a real user and create the ec2 credentials as that user.
Can you expand on the use-case for this?
Seems like another security hole in the making to me, since you're creating (non expiring) credentials, which can be trivially used by any admin (any user with admin role in any project, not just the service admin token) to gain all the roles of the trustor, not only those delegated, defeating the entire point of trusts in all environments which enable the ec2tokens extension.
Also, when considering this issue, please bear in mind bug #968696 - the fact that admin role gives admin everywhere is a bug (a really bad one, specific to keystone), so IMO we should not perpetuate that wrong assumption by allowing code to circumvent delegation restrictions just because the user has the admin role.