Non-Admin Access to Revocation Events

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Now that I've added the security templates. Putting on my Keystone hat, the intent of the revocation events is that they are meant to be public. When they were designed it was not possible (via keystone code directly) to lock people out of their accounts via attempted logins (no PCI-DSS support like we have today).

In reality, if we are ok with online-only validation (UUID and Fernet) and ok with tokens being cached/valid for the cached duration (without verification of the revocation event-list by the external consumer), then we can make this change / make the revocation event listing API deprecated with the intent that it is not meant to be used any longer. It was much more important when we had PKI tokens to have a public revocation event bundle that did not include the token IDs (the old Revocation list was a list of token IDs and therefore had to be a priv operation).

If we are intending the revocation event list to be consumable in any form (not strictly asking keystone for the validation due to cache), I don't want to make it a priv. operation again.

I would like to see another keystone-coresec weigh in on this regarding severity before I try and offer a classification (since I am part of the VMT).

Please note this bug has been publicly discussed in the #openstack-keystone channel prior to submission to Launchpad.

As an additional point, it may not be backportable (a policy.json fix) as that either will not hit deployments and/or will change behavior directly (which may be in use).

It's mentioned quite prominently starting at http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-12-13.log.html#t2016-12-13T01:34:31 so at a minimum we should end the embargo by switching this to Public Security.

My apologies for that. Wasn't exactly sure what I was looking at. This seemed like it may have been just standard keystone operation so was trying to work it out, and irc seemed like a good place to ask.

Will in future if I find something odd that looks even vaguely like a security problem leave it out of public channels until I'm sure it isn't.

Adrian, no worries.

fungi, I'm OK with lifting the embargo.

I think defaulting the policy to `rule:admin_required` is decent place to start. But as Morgan said, I'm not sure how useful it is to list revocation events now. Would love to hear from ayoung.

Remove the API. It is not longer needed. `rule:admin_required` is also sufficient

I've switched this report to Public Security now, ending the embargo; it was already discussed elsewhere in public per comments #4/#6.

Sounds like we should at least make the API `rule:admin_required` in the default policy file.

Fix proposed to branch: master
Review: https://review.openstack.org/416841

Reviewed: https://review.openstack.org/416841
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d4a890a6c8bd6927e229f4b665a982a51c130073
Submitter: Jenkins
Branch: master

commit d4a890a6c8bd6927e229f4b665a982a51c130073
Author: Steve Martinelli <email address hidden>
Date: Thu Jan 5 00:41:34 2017 -0500

    listing revoke events should be admin only

    Currently any user can list revocation events, this data contains
    IDs for users and projects. It should not be made available to
    any user that is able to authenticate, it should be an admin
    only API call.

    Change-Id: I4290163c67c84ef0e1a2f6ee967ddf2acb2c3212
    Closes-Bug: 1649446

Consensus seems to be that this was intentional behavior, but worth changing (as evidenced by a subsequent fix to master). Given that and the lack of stable branch backports, I'm going to treat this as a security hardening opportunity. If there is fierce disagreement favoring backports and an official advisory, we can revisit the classification at that time.

This issue was fixed in the openstack/keystone 11.0.0.0b3 development milestone.

Fix proposed on branch: master
Review: https://review.openstack.org/#/c/428759/

Reviewed: https://review.openstack.org/428759
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=67034c4db8613e8cead5e5839edbecf040b4fb91
Submitter: Jenkins
Branch: master

commit 67034c4db8613e8cead5e5839edbecf040b4fb91
Author: Frode Nordahl <email address hidden>
Date: Tue Jan 10 08:50:28 2017 +0100

    Update policy.json for Ocata

    Refresh v2 and v3 portion of policy.json from upstream keystone
    repository @ commit
    d4a890a6c8bd6927e229f4b665a982a51c130073

    Add functional tests to verify effect of policy

    Update functional tests to use keystone_configure_api_version
    from charm-helpers

    Update functional tests to correctly validate cinder services
    when openstack release >= ocata

    Enable functional test for ocata, set appropriate cinder
    configuration.

    Change-Id: Idf07ff3a7c9d7e7eb30792719541319ab3426a41
    Closes-Bug: 1651989
    Closes-Bug: 1649446