OpenStack Identity (keystone)

  1. Series havana
  2. Bug #1242597
  3. Comment #16

Comment 16 for bug 1242597

Revision history for this message
Thierry Carrez (ttx) wrote : Re: ec2tokens API doesn't handle trust-scoped tokens correctly

Proposed impact description, please doublecheck that I got it right (included affected versions):

-------------------------------------------
Title: Keystone trust circumvention through EC2-style tokens
Reporter: Steven Hardy (Red Hat)
Products: Keystone
Affects: Grizzly and later

Description:
Steven Hardy from Red Hat reported a vulnerability in Keystone trusts when used in conjunction with the ec2tokens API. By generating EC2 tokens from a trust-scoped token, a trustee may retrieve a token not scoped to the trust, therefore elevtaing privileges to all of the trustor's roles. Only Keystone setups enabling EC2-style authentication are affected.
---------------------------------------------