2018-09-11 15:35:14 |
Adam Young |
bug |
|
|
added bug |
2018-09-11 17:15:56 |
Jeremy Stanley |
description |
Heat and Admin users both commonly create trusts for other users. But any application is capable of doing this, as it requires only a scoped token to create a trust, which users pass around regularly.
If I am concerned that some other application (or unauthorized user) has created a trust with me as the trustor, I need to be able to confirm this. If I cannot perform "trust list" and see the set of trusts that have me as a trustor, I am not able to clear out spurious ones. Thus, I would not be aware of any trusts set up in my name. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Heat and Admin users both commonly create trusts for other users. But any application is capable of doing this, as it requires only a scoped token to create a trust, which users pass around regularly.
If I am concerned that some other application (or unauthorized user) has created a trust with me as the trustor, I need to be able to confirm this. If I cannot perform "trust list" and see the set of trusts that have me as a trustor, I am not able to clear out spurious ones. Thus, I would not be aware of any trusts set up in my name. |
|
2018-09-11 17:20:30 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2018-09-11 17:20:49 |
Jeremy Stanley |
bug |
|
|
added subscriber Keystone Core security contacts |
2018-09-20 16:33:40 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
2018-09-20 16:33:53 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Heat and Admin users both commonly create trusts for other users. But any application is capable of doing this, as it requires only a scoped token to create a trust, which users pass around regularly.
If I am concerned that some other application (or unauthorized user) has created a trust with me as the trustor, I need to be able to confirm this. If I cannot perform "trust list" and see the set of trusts that have me as a trustor, I am not able to clear out spurious ones. Thus, I would not be aware of any trusts set up in my name. |
Heat and Admin users both commonly create trusts for other users. But any application is capable of doing this, as it requires only a scoped token to create a trust, which users pass around regularly.
If I am concerned that some other application (or unauthorized user) has created a trust with me as the trustor, I need to be able to confirm this. If I cannot perform "trust list" and see the set of trusts that have me as a trustor, I am not able to clear out spurious ones. Thus, I would not be aware of any trusts set up in my name. |
|
2018-09-20 16:33:59 |
Jeremy Stanley |
ossa: status |
New |
Won't Fix |
|
2018-09-20 16:34:08 |
Jeremy Stanley |
tags |
|
security |
|
2018-10-24 18:04:24 |
Morgan Fainberg |
keystone: status |
New |
Triaged |
|
2018-10-24 18:04:26 |
Morgan Fainberg |
keystone: importance |
Undecided |
Medium |
|
2018-10-26 16:36:50 |
Morgan Fainberg |
tags |
security |
policy security |
|