Attack could lockout a service account
Bug #1642348 reported by
Ron De Rose
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Ron De Rose |
Bug Description
If security_compliance lockout_
# export OS_USERNAME=nova
# export OS_PASSWORD=fail
# while true; do openstack token issue; done
The nova service would eventually be locked out and would fail authentication until the lockout duration ended or an admin re-enabled the user account.
description: | updated |
Changed in keystone: | |
status: | New → In Progress |
Changed in keystone: | |
milestone: | ocata-1 → ocata-2 |
To post a comment you must log in.
This is the nature of PCI, I can lockout another co-worker if I know his/her username. The crux of this problem is there are well known usernames in openstack -- "admin", "nova", etc...
There are multiple ways to solve this issue.
1) Leverage the PCI blacklist -- these users are already exempt from changing their password every X days, why not exempt them from lockout via failed auth, too?
2) Make PCI configurable per-domain. The service accounts are the ones we care most about in this situation, and they will likely reside in the same domain, so enforce PCI on domainA, but not domainB. The implementation would be similar to how we do things with LDAP.