Ubuntu
keystone package

Bug #1041396
Comment #4

Comment 4 for bug 1041396

Revision history for this message

Joseph Heck (heckj) wrote on 2012-08-28: Re: [Bug 1041396] Token validation includes revoked roles

I just looked through reviewboard and didn't see any patches pending review.

-joe

On Aug 27, 2012, at 2:16 PM, Russell Bryant <email address hidden> wrote:
> We need a couple of keystone-core reviews on these patches.
>
> Here is a draft description. Right now it's mostly one long awkward
> sentence. There's probably a more elegant way of describing it ...
>
>
> Title: Revoking a role does not affect existing tokens
> Impact: High
> Reporter: Dolph Mathews (Rackspace)
> Products: Keystone
> Affects: Essex, Folsom
>
> Description:
> Dolph Mathews reported a vulnerability in Keystone. If you revoke a role from a user from the admin API and then validate a token that existed before revoking the role, the token validation response will still include that role.
>
> --
> You received this bug notification because you are a member of Keystone
> Bugs, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1041396
>
> Title:
> Token validation includes revoked roles
>
> Status in OpenStack Identity (Keystone):
> In Progress
>
> Bug description:
> To reproduce:
> 1) Initial setup: http://paste.openstack.org/raw/20477/
> 2) Authenticate as a normal user, generating a token
> 3) On the admin API, revoke a role from that user
> 4) On the admin API, validate the user's generated token
>
> The revoked role is included in the validation response. Ideally, the
> token should be entirely invalidated and return 404, although at the
> very least, the revoked role should *NOT* be included in the
> validation response.
>
> Full example:
>
> Authenticate as a user who has been granted the 'manager' role:
>
> POST http://127.0.0.1:5000/v2.0/tokens
> ======================================
>
> Content-Type: application/json
>
> {
> "auth": {
> "tenantName": "project-x",
> "passwordCredentials": {
> "username": "joe",
> "password": "secret"
> }
> }
> }
>
> 200 OK
> ======
>
> Date: Fri, 24 Aug 2012 22:43:24 GMT
> Vary: X-Auth-Token
> Content-Length: 448
> Status: 200
> Content-Type: application/json
>
> {
> "access": {
> "token": {
> "expires": "2012-08-25T22:43:24Z",
> "id": "c0db082bdb7f47e4845d7be551558620",
> "tenant": {
> "id": "10e2a090121748388cf39e915d376f29",
> "enabled": true,
> "description": null,
> "name": "project-x"
> }
> },
> "serviceCatalog": {},
> "user": {
> "username": "joe",
> "roles_links": [],
> "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
> "roles": [
> {
> "name": "manager"
> }
> ],
> "name": "joe"
> },
> "metadata": {
> "is_admin": 0,
> "roles": [
> "facd80ce22d44eae87375f11295f8e51"
> ]
> }
> }
> }
>
> Validate the user's token (note the presence of the 'manager' role):
>
> GET http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
> =======================================================================
>
> X-Auth-Token: ADMIN
>
>
> 200 OK
> ======
>
> Status: 200
> Content-Length: 490
> Content-Location: http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
> Vary: X-Auth-Token
> Date: Fri, 24 Aug 2012 22:44:01 GMT
> Content-Type: application/json
>
> {
> "access": {
> "token": {
> "expires": "2012-08-25T22:43:24Z",
> "id": "c0db082bdb7f47e4845d7be551558620",
> "tenant": {
> "description": null,
> "enabled": true,
> "id": "10e2a090121748388cf39e915d376f29",
> "name": "project-x"
> }
> },
> "serviceCatalog": {},
> "user": {
> "username": "joe",
> "roles_links": [],
> "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
> "roles": [
> {
> "id": "facd80ce22d44eae87375f11295f8e51",
> "name": "manager"
> }
> ],
> "name": "joe"
> },
> "metadata": {
> "is_admin": 0,
> "roles": [
> "facd80ce22d44eae87375f11295f8e51"
> ]
> }
> }
> }
>
> As admin, revoke the 'manager' role from the user:
>
> $ keystone user-role-remove --user-
> id=b2a6f8d5dbb249f3b9ac8a46e8cb77e6 --role-
> id=facd80ce22d44eae87375f11295f8e51 --tenant-
> id=10e2a090121748388cf39e915d376f29
>
> As admin, the validation response remains unchanged (including the
> revoked 'manager' role):
>
> GET http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
> =======================================================================
>
> X-Auth-Token: ADMIN
>
>
> 200 OK
> ======
>
> Status: 200
> Content-Length: 490
> Content-Location: http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
> Vary: X-Auth-Token
> Date: Fri, 24 Aug 2012 22:44:46 GMT
> Content-Type: application/json
>
> {
> "access": {
> "token": {
> "expires": "2012-08-25T22:43:24Z",
> "id": "c0db082bdb7f47e4845d7be551558620",
> "tenant": {
> "description": null,
> "enabled": true,
> "id": "10e2a090121748388cf39e915d376f29",
> "name": "project-x"
> }
> },
> "serviceCatalog": {},
> "user": {
> "username": "joe",
> "roles_links": [],
> "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
> "roles": [
> {
> "id": "facd80ce22d44eae87375f11295f8e51",
> "name": "manager"
> }
> ],
> "name": "joe"
> },
> "metadata": {
> "is_admin": 0,
> "roles": [
> "facd80ce22d44eae87375f11295f8e51"
> ]
> }
> }
> }
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1041396/+subscriptions

I just looked through reviewboard and didn't see any patches pending review.

-joe

On Aug 27, 2012, at 2:16 PM, Russell Bryant <1041396@bugs.launchpad.net> wrote:
> We need a couple of keystone-core reviews on these patches.
> 
> Here is a draft description.  Right now it's mostly one long awkward
> sentence.  There's probably a more elegant way of describing it ...
> 
> 
> Title: Revoking a role does not affect existing tokens
> Impact: High
> Reporter: Dolph Mathews (Rackspace)
> Products: Keystone
> Affects: Essex, Folsom
> 
> Description:
> Dolph Mathews reported a vulnerability in Keystone. If you revoke a role from a user from the admin API and then validate a token that existed before revoking the role, the token validation response will still include that role.
> 
> -- 
> You received this bug notification because you are a member of Keystone
> Bugs, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1041396
> 
> Title:
>  Token validation includes revoked roles
> 
> Status in OpenStack Identity (Keystone):
>  In Progress
> 
> Bug description:
>  To reproduce:
>  1) Initial setup: http://paste.openstack.org/raw/20477/
>  2) Authenticate as a normal user, generating a token
>  3) On the admin API, revoke a role from that user
>  4) On the admin API, validate the user's generated token
> 
>  The revoked role is included in the validation response. Ideally, the
>  token should be entirely invalidated and return 404, although at the
>  very least, the revoked role should *NOT* be included in the
>  validation response.
> 
>  Full example:
> 
>  Authenticate as a user who has been granted the 'manager' role:
> 
>      POST http://127.0.0.1:5000/v2.0/tokens
>      ======================================
> 
>      Content-Type: application/json
> 
>      {
>        "auth": {
>          "tenantName": "project-x",
>          "passwordCredentials": {
>            "username": "joe",
>            "password": "secret"
>          }
>        }
>      }
> 
>      200 OK
>      ======
> 
>      Date: Fri, 24 Aug 2012 22:43:24 GMT
>      Vary: X-Auth-Token
>      Content-Length: 448
>      Status: 200
>      Content-Type: application/json
> 
>      {
>        "access": {
>          "token": {
>            "expires": "2012-08-25T22:43:24Z",
>            "id": "c0db082bdb7f47e4845d7be551558620",
>            "tenant": {
>              "id": "10e2a090121748388cf39e915d376f29",
>              "enabled": true,
>              "description": null,
>              "name": "project-x"
>            }
>          },
>          "serviceCatalog": {},
>          "user": {
>            "username": "joe",
>            "roles_links": [],
>            "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
>            "roles": [
>              {
>                "name": "manager"
>              }
>            ],
>            "name": "joe"
>          },
>          "metadata": {
>            "is_admin": 0,
>            "roles": [
>              "facd80ce22d44eae87375f11295f8e51"
>            ]
>          }
>        }
>      }
> 
>  Validate the user's token (note the presence of the 'manager' role):
> 
>      GET http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
>      =======================================================================
> 
>      X-Auth-Token: ADMIN
> 
> 
>      200 OK
>      ======
> 
>      Status: 200
>      Content-Length: 490
>      Content-Location: http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
>      Vary: X-Auth-Token
>      Date: Fri, 24 Aug 2012 22:44:01 GMT
>      Content-Type: application/json
> 
>      {
>        "access": {
>          "token": {
>            "expires": "2012-08-25T22:43:24Z",
>            "id": "c0db082bdb7f47e4845d7be551558620",
>            "tenant": {
>              "description": null,
>              "enabled": true,
>              "id": "10e2a090121748388cf39e915d376f29",
>              "name": "project-x"
>            }
>          },
>          "serviceCatalog": {},
>          "user": {
>            "username": "joe",
>            "roles_links": [],
>            "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
>            "roles": [
>              {
>                "id": "facd80ce22d44eae87375f11295f8e51",
>                "name": "manager"
>              }
>            ],
>            "name": "joe"
>          },
>          "metadata": {
>            "is_admin": 0,
>            "roles": [
>              "facd80ce22d44eae87375f11295f8e51"
>            ]
>          }
>        }
>      }
> 
>  As admin, revoke the 'manager' role from the user:
> 
>      $ keystone user-role-remove --user-
>  id=b2a6f8d5dbb249f3b9ac8a46e8cb77e6 --role-
>  id=facd80ce22d44eae87375f11295f8e51 --tenant-
>  id=10e2a090121748388cf39e915d376f29
> 
>  As admin, the validation response remains unchanged (including the
>  revoked 'manager' role):
> 
>      GET http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
>      =======================================================================
> 
>      X-Auth-Token: ADMIN
> 
> 
>      200 OK
>      ======
> 
>      Status: 200
>      Content-Length: 490
>      Content-Location: http://127.0.0.1:35357/v2.0/tokens/c0db082bdb7f47e4845d7be551558620
>      Vary: X-Auth-Token
>      Date: Fri, 24 Aug 2012 22:44:46 GMT
>      Content-Type: application/json
> 
>      {
>        "access": {
>          "token": {
>            "expires": "2012-08-25T22:43:24Z",
>            "id": "c0db082bdb7f47e4845d7be551558620",
>            "tenant": {
>              "description": null,
>              "enabled": true,
>              "id": "10e2a090121748388cf39e915d376f29",
>              "name": "project-x"
>            }
>          },
>          "serviceCatalog": {},
>          "user": {
>            "username": "joe",
>            "roles_links": [],
>            "id": "b2a6f8d5dbb249f3b9ac8a46e8cb77e6",
>            "roles": [
>              {
>                "id": "facd80ce22d44eae87375f11295f8e51",
>                "name": "manager"
>              }
>            ],
>            "name": "joe"
>          },
>          "metadata": {
>            "is_admin": 0,
>            "roles": [
>              "facd80ce22d44eae87375f11295f8e51"
>            ]
>          }
>        }
>      }
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1041396/+subscriptions

Ubuntukeystone package

Comment 4 for bug 1041396

Ubuntu
keystone package