Token Scoping

Bug #1299039 reported by Abu Shohel Ahmed on 2014-03-28
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Adam Young

Bug Description

In Havana Stable release for both V2.0 an V3,

A scoped token can be used to get another scoped or un-scopped token. This can be exploited by anyone who has gained access to a scoped token.

For example,

1. userA is related to two projects: Project1, Project2
2. userA creates tokenA scoped by Project1
3. userA shares the tokenA to a third party (malicious).
4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA.

Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure.
A scoped token should not be allowed to create another scoped token.

Dolph Mathews (dolph) wrote :

Subscribed Adam Young, who has looked into this before, and I believe found a blocker to changing this behavior?

Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
Adam Young (ayoung) wrote :

It would break Horizon.

On initial login, Horizon passes user id and password to the V2 API. If no tenant is specified, it gets s token scoped to the default tenant.

Even if it didn't, however, Horizon only holds on to the last token , and revokes all eralier, so you would break the ability to go from project to project.

Changed in keystone:
assignee: nobody → Priti Desai (priti-desai)

Seems like horizon login page should take as input a "scope", domain (and even project possibly) to avoid such an issue.
Users are supposed to be unique per domain.

Then we could enforce any subsequent token creation to the domain and project of the current token. So no more or less harm than the token already leaked.

Further, we could limit horizon admin uses to only "read-only" on other domains/projects.

Dolph Mathews (dolph) wrote :
Changed in keystone:
milestone: none → 2015.1.0
status: Triaged → Fix Released
assignee: Priti Desai (priti-desai) → Adam Young (ayoung)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers