openstack-manuals

Chapter 18. Identity in OpenStack Security Guide - havana

Bug #1253823 reported by Brant Knudson on 2013-11-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openstack-manuals	Fix Released	Medium	Anne Gentle

Bug Description

This chapter says "The Identity service could alternatively be configured to provide UUID tokens which are significantly shorter but may be less secure depending on your specific deployment model."

There's not meant to be any difference in security between using PKI versus UUID tokens. PKI tokens are supposed to save on network traffic and keystone server CPU (although I'm not sure that they do). Choosing PKI or UUID isn't a question of PKI is more secure. They're the same.

-----------------------------------
Built: 2013-11-21T20:48:44 00:00
git SHA: 216e166bd12b79d533be12c139aaef740a2ff7f1
URL: http://docs.openstack.org/security-guide/content/ch024_authentication.html
source File: file:/home/jenkins/workspace/openstack-security-guide/doc/security-guide/ch024_authentication.xml
xml:id: ch024_authentication

Tags:

Shaun McCance (shaunm-gnome) on 2013-11-27

tags:

added: sec-guide

Revision history for this message

Anne Gentle (annegentle) wrote on 2013-12-06:

Requested that the Security Guide original authors triage this doc bug.

Revision history for this message

Bryan D. Payne (bdpayne) wrote on 2013-12-06:

I agree with Brant that the wording in the book here is misleading.

Brant, do you have a suggestion for improving the wording?

Revision history for this message

Brian Schott (bfschott) wrote on 2013-12-06:

Agree it is badly worded, but I think the argument here is that there are different versions of UUID where the tokens are less secure than a PKI generated authentication token. For example, Version 1 UUID is based on the mac address and timestamp of the server generating it, so someone external to the system can likely guess a valid authentication token on a busy system without intercepting any traffic at all. Not to mention that random is 122 bits and sha-1 is 128 bits. So, I'd argue that UUID is less secure than PKI not that PKI is token is completely secure.

Tom Fifield (fifieldt) on 2013-12-06

Changed in openstack-manuals:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

Brant Knudson (blk-u) wrote on 2013-12-20:

Looking at the current Keystone code, UUID tokens are generated using uuid.uuid4() and not uuid1(). Same with all supported versions of Keystone (and Folsom, too).

I think this paragraph """

The Identity service could alternatively be configured to provide UUID tokens which are significantly shorter but may be less secure depending on your specific deployment model. Decisions about token implementation should take into consideration the level of trust needed within a given security domain.

"""

should be removed, since the token format is not relevant from a security perspective.

Anne Gentle (annegentle) on 2013-12-20

Changed in openstack-manuals:
assignee:	nobody → Anne Gentle (annegentle)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-20: Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/63536

Changed in openstack-manuals:
status:	Triaged → In Progress

Anne Gentle (annegentle) on 2014-01-06

Changed in openstack-manuals:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-24: Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.