OpenStack Identity (keystone)

Token Scoping

Bug #1299039 reported by Abu Shohel Ahmed
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Adam Young
OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

In Havana Stable release for both V2.0 an V3,

A scoped token can be used to get another scoped or un-scopped token. This can be exploited by anyone who has gained access to a scoped token.

For example,

1. userA is related to two projects: Project1, Project2
2. userA creates tokenA scoped by Project1
3. userA shares the tokenA to a third party (malicious).
4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA.

Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure.
A scoped token should not be allowed to create another scoped token.

Tags: security
Revision history for this message
Dolph Mathews (dolph) wrote :

Subscribed Adam Young, who has looked into this before, and I believe found a blocker to changing this behavior?

Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Adam Young (ayoung) wrote :

It would break Horizon.

On initial login, Horizon passes user id and password to the V2 API. If no tenant is specified, it gets s token scoped to the default tenant.

Even if it didn't, however, Horizon only holds on to the last token , and revokes all eralier, so you would break the ability to go from project to project.

Priti Desai (priti-desai)
Changed in keystone:
assignee: nobody → Priti Desai (priti-desai)
Revision history for this message
Malini Bhandaru (malini-k-bhandaru) wrote :

Seems like horizon login page should take as input a "scope", domain (and even project possibly) to avoid such an issue.
Users are supposed to be unique per domain.

Then we could enforce any subsequent token creation to the domain and project of the current token. So no more or less harm than the token already leaked.

Further, we could limit horizon admin uses to only "read-only" on other domains/projects.

Revision history for this message
Dolph Mathews (dolph) wrote :

Implemented as part of:

  https://blueprints.launchpad.net/keystone/+spec/rescoping

Changed in keystone:
milestone: none → 2015.1.0
status: Triaged → Fix Released
assignee: Priti Desai (priti-desai) → Adam Young (ayoung)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.