keystone ADMIN_TOKEN set by default can lead to default insecure deployment
Bug #1545789 reported by
Morgan Fainberg
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Adam Young | ||
OpenStack Security Notes |
Fix Released
|
High
|
Robert Clark |
Bug Description
The Keystone configuration sets the ADMIN_TOKEN option to "ADMIN" by default, which means that unless the deployment specifically changes this value to a secure value, the filter "admin_auth_token" will accept the value of "ADMIN" as an all-access administrative token for the openstack deployment (when interacting with keystone).
The fix will be to make this value "None" by default, and if the option is unset, the "admin_token_auth" filter will simply pass, continuing to allow normal credentials to work.
This is a CLASS B1 (my assessment) https:/
This bug was opened so we can issue an OSSA/OSSN with the fix.
Changed in keystone: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in keystone: | |
status: | Triaged → In Progress |
Changed in ossn: | |
assignee: | nobody → Robert Clark (robert-clark) |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in ossn: | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
This was marked as public because it's not like this was unknown to begin with and has been extensively discussed in documentation/IRC