Comment 4 for bug 1618615

Apologies for neglecting to mention that this is indeed only relevant for EC2 credentials.

I didn't investigate the EC2 controller previously, but it's certainly a good thing that it uses UUIDs by default. The likelihood of bruteforcing this space is very low in the real world, and I would agree that C1 seems reasonable for that potential scenario.

For this to be a more practical attack, it seems an admin user would have to manually add credentials as "ec2" type, and choose something sensitive and/or predictable as the access key, instead of typical values. I think this is at least a possibility for some users, given that the API documentation currently discusses mostly EC2 credentials, and uses values that might be misleading to users who are unaware of what "EC2 credentials" are in the first place.

Clarifying the documentation on this matter and mentioning it in a short OSSN might be helpful, so that anyone who might've accidentally used this functionality in a non-standard way can take mitigating actions.

Re: "500" errors, our team is currently testing Keystone for security defects with the tool we've been building (https://github.com/openstack/syntribos) as part of OSIC, and I anticipate we will probably find a few more of these types of bugs. In the future, should we post these 500 errors individually, or aggregate them together? Thanks!