yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

So it looks like this is not really fisable in stable branches... it
should rather be documented as a known issue when you set up specific
policies, so that you know what to expect if you do enable them this
way. That would make it OSSN territory.

The whole situation will be avoided in the future with the new design
that Adam is pushing, hopefully in time for Icehouse release.

** Also affects: ossn
   Importance: Undecided
       Status: New

** No longer affects: keystone/havana

** No longer affects: keystone/grizzly

** Changed in: ossa
       Status: Triaged => Incomplete

** Changed in: ossa
   Importance: Medium => Undecided

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1268751

Title:
  Potential token revocation abuse via group membership

Status in OpenStack Identity (Keystone):
  Triaged
Status in OpenStack Security Advisories:
  Incomplete
Status in OpenStack Security Notes:
  New

Bug description:
  If a group is deleted, all tokens for all users that are a member of
  that group are revoked.  This leads to potential abuse:

  1.  A group admin adds a user to a group without users knowledge
  2. User creates token
  3. Admin  deletes group.  
  4.  All of the users tokens are revoked.

  Admittedly, this abuse must be instigated by a group admin, which is
  the global admin in the default policy file, but an alternative policy
  file could allow for the delegation of "add user to group" behavior.
  In such a system, this could act as a denial of service attack for a
  set of users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1268751/+subscriptions