keystonemiddleware

auth_token middleware does not check if an endpoint is in the service catalog

Bug #1071815 reported by Adam Young
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystonemiddleware
Won't Fix
Wishlist
Unassigned

Bug Description

We include the catalog in the token, but it is not checked. Thus, a token that is intended for a subset of the endpoints can be used on additional endpoints. This prevents a user from creating a token specific to an endpoint. The comparable mechanism is service tickets in Kerberos. If a rogue service gets a ticket in Kerberos, it cannot reuse that ticket elsewhere. WIth the current token scheme, all tokens on a compromised server are at risk of being abused throughout an openstack deployment.

Tags: security
Revision history for this message
Adam Young (ayoung) wrote :

http://content.dell.com/us/en/enterprise/d/large-business/it-security-design

Revision history for this message
Russell Bryant (russellb) wrote :

Is this a vulnerability or a weakness in the current design?

If it's just something that should be improved, that's fine. In that case we should make the bug public and treat it as a "security hardening" issue.

We typically only leave bugs private and go through the embargo process for exploitable vulnerabilities.

Revision history for this message
Adam Young (ayoung) wrote :

Weakness in the current design. Figured I would be careful and start with it embargoed, but it is really "security hardening" as there is no known exploit for the issue.

Revision history for this message
Russell Bryant (russellb) wrote :

Great, thanks for the clarification. It's always good to start that way. I'm going to open this issue now.

information type: Private Security → Public Security
Revision history for this message
Thierry Carrez (ttx) wrote :

Russell: made the bug "public". We should keep "Public security" for stuff that are vulnerabilities but where posted/fixed publicly, and use "Public" with "security" tag set for strengthening features.

tags: added: security
information type: Public Security → Public
Joseph Heck (heckj)
Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
Morgan Fainberg (mdrnstm)
affects: keystone → keystonemiddleware
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

This is not part of the scope of keystonemiddleware. We do not deny based up on the endpoint/catalog.

Changed in keystonemiddleware:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.