Non-Admin Access to Revocation Events
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Steve Martinelli | ||
OpenStack Keystone Charm |
Fix Released
|
Undecided
|
Frode Nordahl | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
keystone (Juju Charms Collection) |
Invalid
|
Undecided
|
Frode Nordahl |
Bug Description
With the default Keystone policy any authed user can list all revocation events for the cluster:
https:/
This can be done by directly calling the API as such:
curl -g -i -X GET http://
and this will provide you with a normal revocation event list (see attachment).
This will allow a user to over time collect a list of user_ids and project_ids. The project_ids aren't particularly useful, but the user_ids can be used to lock people of of their accounts. Or if rate limiting is not setup (a bad idea), or somehow bypassed, would allow someone to brute force access to those ids.
Knowing the ids is no worse than knowing the usernames, but as a non-admin you shouldn't have access to such a list anyway.
It is also worth noting that OpenStack policy files are rife with these blank policy rules, not just Keystone. Some are safe and intended to be accessible by any authed user, others are checked at the code layer, but there may be other rules that are unsafe to expose to any authed user and as such should actually default to "rule:admin_
description: | updated |
Changed in keystone: | |
importance: | Undecided → High |
milestone: | none → ocata-3 |
Changed in charm-keystone: | |
assignee: | nobody → Frode Nordahl (fnordahl) |
status: | New → Fix Committed |
Changed in keystone (Juju Charms Collection): | |
status: | Fix Committed → Invalid |
Changed in charm-keystone: | |
milestone: | none → 17.02 |
Changed in charm-keystone: | |
status: | Fix Committed → Fix Released |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.