keystone ADMIN_TOKEN set by default can lead to default insecure deployment

Bug #1545789 reported by Morgan Fainberg
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Adam Young
OpenStack Security Notes
High
Robert Clark

Bug Description

The Keystone configuration sets the ADMIN_TOKEN option to "ADMIN" by default, which means that unless the deployment specifically changes this value to a secure value, the filter "admin_auth_token" will accept the value of "ADMIN" as an all-access administrative token for the openstack deployment (when interacting with keystone).

https://github.com/openstack/keystone/blob/406fbfaa2689255fb54cf1eb07403f392c735c53/keystone/common/config.py#L49-L56

The fix will be to make this value "None" by default, and if the option is unset, the "admin_token_auth" filter will simply pass, continuing to allow normal credentials to work.

This is a CLASS B1 (my assessment) https://security.openstack.org/vmt-process.html#incident-report-taxonomy

This bug was opened so we can issue an OSSA/OSSN with the fix.

Adam Young (ayoung)
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

This was marked as public because it's not like this was unknown to begin with and has been extensively discussed in documentation/IRC

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

This was originally meant to be addressed by moving to keystone-manage bootstrap, but it has been made clear that removing the filter from the default pipeline is not acceptable as it breaks distros that treat the paste-ini as immutable instead of a config file (like it is)

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Agreed on the B1 (insecure default value), and I added an OSSN task for an eventual Security Note.
Thank!

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/280329
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a14d76138779a03a7547d414629d6c3b5fb44fe1
Submitter: Jenkins
Branch: master

commit a14d76138779a03a7547d414629d6c3b5fb44fe1
Author: Adam Young <email address hidden>
Date: Mon Feb 15 12:14:03 2016 -0500

    Re-enable and undeprecate admin_token_auth

    Partial-Bug: 1545761
    Partial-Bug: 1545789

    Change-Id: I717b7bae146daaca086292c568b87a0f6aa7e1d9

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/282104

Changed in keystone:
assignee: Adam Young (ayoung) → Steve Martinelli (stevemar)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Steve Martinelli (<email address hidden>) on branch: master
Review: https://review.openstack.org/282104
Reason: too soon

Revision history for this message
Steve Martinelli (stevemar) wrote :

the partial fixes were actually complete on the keystone side

Changed in keystone:
status: In Progress → Fix Released
assignee: Steve Martinelli (stevemar) → Adam Young (ayoung)
Changed in ossn:
assignee: nobody → Robert Clark (robert-clark)
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Robert Clark (robert-clark) wrote :

Do the Keystone guys have any feel for how many distributions might be in this situation?

Allowing "ADMIN" as a Keystone admin is pretty much a showstopper for anyone who's left this enabled. Very scary.

Revision history for this message
Robert Clark (robert-clark) wrote :

I imagine this probably needs a lot of editing as I'm no Keystone expert but here's a draft OSSN.

https://review.openstack.org/300091

Changed in ossn:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers