yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1219092] Re: token includes is_admin; where's the MAC or signature?

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1219092@xxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Aug 2013 21:49:32 -0000
Reply-to: Bug 1219092 <1219092@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Marking as 'invalid' since this isn't actually a bug report.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1219092

Title:
  token includes is_admin; where's the MAC or signature?

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  Working from the example in the security guide, a sample token is
  given on page 109 (I think that's what Calibre is telling me with
  109.0 / 300 ).

  The discussion begins with "Once a user is authenticated, a token is
  generated and used internally in OpenStack for authorization and
  access...." However, the discussion never mentions if the base encoded
  token is protected with a MAC or signature.

  In openstack-token-1, there's an image of the token discussed in the
  security guide. The highlighted portion was then base decoded. In
  openstack-token-2, the decoded token is shown and there's an is_admin
  field.

  I don't see any obvious fields that provide a MAC or signature over
  the data. Can someone confirm there's a MAC or signature covering that
  data?

  Suppose there is a MAC or signature. Can anyone confirm the routines
  fail closed if the MAC or signature is stripped by a miscreant (rather
  than assuming AUTH=OFF)?

  Related: there's a lot of information in that token. Is it all
  considered public information?

  Sorry to bother the team with this. I could not find a similar report
  in the database..

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1219092/+subscriptions