Potential token revocation abuse via group membership
Bug #1268751 reported by
Adam Young
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Low
|
Richard | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Tristan Cacqueray | ||
OpenStack Security Notes |
Fix Released
|
Medium
|
Nathan Kinder |
Bug Description
If a group is deleted, all tokens for all users that are a member of that group are revoked. This leads to potential abuse:
1. A group admin adds a user to a group without users knowledge
2. User creates token
3. Admin deletes group.
4. All of the users tokens are revoked.
Admittedly, this abuse must be instigated by a group admin, which is the global admin in the default policy file, but an alternative policy file could allow for the delegation of "add user to group" behavior. In such a system, this could act as a denial of service attack for a set of users.
Changed in ossa: | |
status: | Confirmed → Triaged |
Changed in keystone: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in keystone: | |
milestone: | icehouse-3 → next |
Changed in ossn: | |
assignee: | nobody → Nathan Kinder (nkinder) |
Changed in ossn: | |
importance: | Undecided → Medium |
tags: | removed: grizzly-backport-potential |
tags: | removed: havana-backport-potential |
information type: | Public Security → Public |
information type: | Public → Public Security |
information type: | Public Security → Public |
tags: | added: security |
Changed in keystone: | |
importance: | High → Low |
importance: | Low → Wishlist |
Changed in keystone: | |
assignee: | nobody → Ron De Rose (ronald-de-rose) |
Changed in keystone: | |
assignee: | Richard (csravelar) → nobody |
assignee: | nobody → Richard (csravelar) |
status: | Triaged → Won't Fix |
To post a comment you must log in.
I'd suggest opening publicly as this possibility was discussed/ discovered publicly in #opensatck-dev prior to this bug report. Given that this requires a very specific custom policy configuration to provide a viable means of exposure, I suspect that the real-world impact is also minimal.