keystone ADMIN_TOKEN set by default can lead to default insecure deployment
Bug #1545789 reported by
Morgan Fainberg
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Adam Young | ||
| OpenStack Security Notes |
Fix Released
|
High
|
Robert Clark | ||
Bug Description
The Keystone configuration sets the ADMIN_TOKEN option to "ADMIN" by default, which means that unless the deployment specifically changes this value to a secure value, the filter "admin_auth_token" will accept the value of "ADMIN" as an all-access administrative token for the openstack deployment (when interacting with keystone).
The fix will be to make this value "None" by default, and if the option is unset, the "admin_token_auth" filter will simply pass, continuing to allow normal credentials to work.
This is a CLASS B1 (my assessment) https:/
This bug was opened so we can issue an OSSA/OSSN with the fix.
| Changed in keystone: | |
| assignee: | nobody → Adam Young (ayoung) |
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote | #1 |
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote | #2 |
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote | #3 |
| Changed in keystone: | |
| status: | Triaged → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #4 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #5 |
| Changed in keystone: | |
| assignee: | Adam Young (ayoung) → Steve Martinelli (stevemar) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on keystone (master) | #6 |
Revision history for this message
| Steve Martinelli (stevemar) wrote | #7 |
| Changed in keystone: | |
| status: | In Progress → Fix Released |
| assignee: | Steve Martinelli (stevemar) → Adam Young (ayoung) |
| Changed in ossn: | |
| assignee: | nobody → Robert Clark (robert-clark) |
| status: | New → Confirmed |
| importance: | Undecided → High |
Revision history for this message
| Robert Clark (robert-clark) wrote | #8 |
Revision history for this message
| Robert Clark (robert-clark) wrote | #9 |
| Changed in ossn: | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
This was marked as public because it's not like this was unknown to begin with and has been extensively discussed in documentation/IRC