← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #05013

[Bug 1220995] Re: Keystone running under apache HTTPD v2.0 API token revocation and validation limitation

  Thread PreviousDate PreviousThread Next 
In order to validate a PKI token via the Keystone API, use the MD5 hash
of the token instead of the original token.  This is short enough for
all URLs.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1220995

Title:
  Keystone running under apache HTTPD v2.0 API token revocation and
  validation limitation

Status in OpenStack Identity (Keystone):
  Invalid
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  Keystone when running under apache with PKI tokens has an issue with
  token check, validation, and revocation.  Because the token is
  required to be in the URI "/v2.0/tokens/<token_id>" with PKI tokens it
  is possible to hit the  request length limit (URI length) in apache.
  This is a compile-time limit of apache (maximum 8k).  Nginx would be
  unaffected (as this limit is configurable).  I have not verified this
  limit in any other web-server.

  The manifestation of this issue shows as an apache 404 page, and the
  request never makes it to the WSGI.

  See attachment for example.

  Affected Versions:  Keystone versions with PKI tokens enabled (with
  PKI token ids) running under HTTPD/Apache.

  This does not appear to affect the following:
  * v3 token revocations, verification, or checks via the REST API
  * revocations due to changes of password, projects, roles, etc.
  * UUID Tokens
  * keystoneclient middleware, as PKI tokens are not verified via this interface (verified directly by the middleware).

  This was tested on Ubuntu 12.04 LTS with apache 2.2.

  This will affect any consumer of the REST API that does not hash the
  long PKI token id before checking, verification, or revocation (in
  Havana referencing the tokens by the short-hash works, I am unsure
  about folsom or grizzly).

  Likely this cannot be exploited directly, but may warrant
  documentation changes and/or an advisory.  This has been opened as a
  security bug to have a few extra eyes on it to make sure it is not
  exploitable before being made public.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1220995/+subscriptions
  Thread PreviousDate PreviousThread Next