notification not generated for authentication failure with invalid user name

Bug #1537963 reported by Thomas Hsiao on 2016-01-26
12
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Morgan Fainberg

Bug Description

Enable event notification in log mode:
[DEFAULT]
notification_format = cadf
notification_driver = log

Test by "Create a token"
$ openstack token issue

1.[OK] Correct user name and password: an event notification was created with "event_type": "identity.authenticate"
 "outcome": "success"

2. [OK] Correct user name but invalid password: an event notification was also created with "event_type": "identity.authenticate"
 "outcome": "failure"

3. [BUG] Invalid user name: NO event notification was created.

This may cause a security issue.

Changed in keystone:
assignee: nobody → Thomas Hsiao (thomas-hsiao)
Steve Martinelli (stevemar) wrote :

sounds like it should be fixed, surprised that it isn't already handled.

Changed in keystone:
importance: Undecided → Wishlist
milestone: none → mitaka-3
summary: - Enent Notification not generated for authentication failure with invalid
- user name
+ notification not generated for authentication failure with invalid user
+ name
Changed in keystone:
status: New → Triaged
Changed in keystone:
milestone: mitaka-3 → none

Fix proposed to branch: master
Review: https://review.openstack.org/280994

Changed in keystone:
status: Triaged → In Progress
Changed in keystone:
assignee: Thomas Hsiao (thomas-hsiao) → Guang Yee (guang-yee)
tags: added: notifications

Change abandoned by Thomas Hsiao (<email address hidden>) on branch: master
Review: https://review.openstack.org/280994
Reason: Abandon for now.

Lance Bragstad (lbragstad) wrote :

Automatically unassigning due to inactivity.

Changed in keystone:
assignee: Guang Yee (guang-yee) → nobody
status: In Progress → Triaged
Colin Best (cbest47) on 2017-08-02
Changed in keystone:
assignee: nobody → Colin Best (cbest47)
Changed in keystone:
assignee: Colin Best (cbest47) → nobody

Fix proposed to branch: master
Review: https://review.openstack.org/613455

Changed in keystone:
assignee: nobody → Morgan Fainberg (mdrnstm)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/613455
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a02a47a65f2be3d80d8e05685d6001c91aaeef25
Submitter: Zuul
Branch: master

commit a02a47a65f2be3d80d8e05685d6001c91aaeef25
Author: Morgan Fainberg <email address hidden>
Date: Thu Oct 25 17:41:13 2018 -0700

    Emit CADF notifications on authentication for invalid users

    Emit CADF notifications on authentication when the user_name or the
    user_id is invalid (UserNotFound raised). This closes a minor security
    gap in notifications.

    Change-Id: If8b49b5dc49a4b0670fb81a493f50c77df7b4362
    closes-bug: #1537963

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: none → stein-2

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers