auth_token middleware does not check if an endpoint is in the service catalog
Bug #1071815 reported by
Adam Young
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystonemiddleware |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
We include the catalog in the token, but it is not checked. Thus, a token that is intended for a subset of the endpoints can be used on additional endpoints. This prevents a user from creating a token specific to an endpoint. The comparable mechanism is service tickets in Kerberos. If a rogue service gets a ticket in Kerberos, it cannot reuse that ticket elsewhere. WIth the current token scheme, all tokens on a compromised server are at risk of being abused throughout an openstack deployment.
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
affects: | keystone → keystonemiddleware |
To post a comment you must log in.
http:// content. dell.com/ us/en/enterpris e/d/large- business/ it-security- design