yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1268751] Re: Potential token revocation abuse via group membership

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Wed, 02 Apr 2014 15:03:59 -0000
Reply-to: Bug 1268751 <1268751@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

An OSSN on this issue has been published to the wiki, openstack-dev, and
openstack mailing lists:

http://git.openstack.org/cgit/openstack/openstack-security-
notes/commit/?id=5380798f052eaebc023271c90d65b8f6d6fa6331

https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0009&action=edit&redlink=1

** Changed in: ossn
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1268751

Title:
  Potential token revocation abuse via group membership

Status in OpenStack Identity (Keystone):
  Triaged
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  If a group is deleted, all tokens for all users that are a member of
  that group are revoked.  This leads to potential abuse:

  1.  A group admin adds a user to a group without users knowledge
  2. User creates token
  3. Admin  deletes group.  
  4.  All of the users tokens are revoked.

  Admittedly, this abuse must be instigated by a group admin, which is
  the global admin in the default policy file, but an alternative policy
  file could allow for the delegation of "add user to group" behavior.
  In such a system, this could act as a denial of service attack for a
  set of users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1268751/+subscriptions