Comment 13 for bug 1268751

Alright, thank you Jeremy, so this is:
Draft impact description #3 -

Title: Potential token revocation abuse via group membership
Reporter: Adam Young (Red Hat)
Products: Keystone
Affects: All supported versions

Description:
Adam Young from Red Hat reported a vulnerability in the Keystone revocation process. If a group is deleted, all tokens for all users that are members of that group are revoked. By adding users to a group without those users' knowledge and then deleting that group, a group admin can revoke all of the users' tokens. While the default policy file gives the group admin role to global admin, an alternative policy could delegate the "create_group", "add_user_to_group", "delete_group" capabilities to a set of users. In such a system, those users will also get a token revocation capability. Only setups using a custom policy file in Keystone are affected.