OpenStack Identity (keystone)

domain_id in User/Group/Project should be immutable

Bug #1291393 reported by Henry Nash
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Henry Nash
OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

Today we allow the domain_id in User, Group and Project entities to be updated….effectively moving the entity between domains. With today's policy capability this represents a potential security hole if you are trying to enforce strict domain admin type of roles. We should allow a cloud provider to disable this current update ability…and make the domain_id attribute immutable in the same way we do for the id of the entity.

Here's a recipe for how to create this potential security hole using the v3 policy sample file:
- Have a user with role 'admin' on the domain_A (this makes them a "domain admin")
- They try and update their user entity (or any other user entity) with {'domain_id': domain_B}. This will succeed, even though the goal of the v3 policy sample file is to restrict the access for such a user is to only objects domain_A
- The user is now part of domain_B
- The above does not actually yet give the user ability to authenticate to domain_B (since they do not have a role on that domain)…but it perhaps lays the ground work for some other attack to enable that

See original description
Revision history for this message
Dolph Mathews (dolph) wrote :

+1

If there's a strong use case in favor of allowing mutable domain ID's, I don't think I've heard it.

Changed in keystone:
status: New → Triaged
Revision history for this message
Haneef Ali (haneef) wrote :

+1. Once upon a time, I asked why are we allowing update of domain_id and at that time it was considered as feature. Good we are trying to revert it now.

Henry Nash (henry-nash)
description: updated
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/80769

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/80769
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2fa6a6f01a4884edf369cafa39946636af5cf1a
Submitter: Jenkins
Branch: master

commit a2fa6a6f01a4884edf369cafa39946636af5cf1a
Author: Henry Nash <email address hidden>
Date: Sat Mar 15 09:22:24 2014 +0000

    Provide option to make domain_id immutable

    Currently, a user, group or project entity can be moved between
    domains by updating their domain_id. There are situations where
    this is not desirable (and in fact could create a potential security
    hole) - for example when creating a domain admin persona, using an
    appropriate policy file (such as policy.v3cloudsample).

    For backward compatibility, the option to make the domain_id immutable
    is controlled by a config option, with the default being no change
    to existing functionality.

    Change-Id: Idd847f471beae7387d6cc59af0a960a923da799f
    Closes-Bug: 1291393

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.