← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1461728] Re: V2.0 API not calling defined external auth

 

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

** Description changed:

+ This issue is being treated as a potential security risk under embargo.
+ Please do not make any public mention of embargoed (private) security
+ vulnerabilities before their coordinated publication by the OpenStack
+ Vulnerability Management Team in the form of an official OpenStack
+ Security Advisory. This includes discussion of the bug or associated
+ fixes in public forums such as mailing lists, code review systems and
+ bug trackers. Please also avoid private disclosure to other individuals
+ not already approved for access to this information, and provide this
+ same reminder to those who are made aware of the issue prior to
+ publication. All discussion should remain confined to this private bug
+ report, and any proposed fixes should be added to the bug as
+ attachments.
+ 
  When keystone.conf is defined with external auth , all V2.0 API calls do
  not get intercepted by the defined external auth.
- 
  
  this is my keystone.conf
  [auth]
  methods=password,token,external
  external=keystone.auth.plugins.idm_external.IDMDefaultDomain
- 
  
  V.20 CURL to initiate external auth.
  curl -X POST -d '{"auth":{}}' -H "Content-type: application/json" -H "REMOTE_USER: admin" http://localhost:5000/v2.0/tokens
  
  What I'm seeing is the call gets to the keystone/token/controller.py,
  where it checks for the auth{} and executes the external authentication
  
-         if "token" in auth:
-             # Try to authenticate using a token
-             auth_info = self._authenticate_token(
-                 context, auth)
-         else:
-             # Try external authentication
-             try:
-                 auth_info = self._authenticate_external(
-                     context, auth)
-             except ExternalAuthNotApplicable:
-                 # Try local authentication
-                 auth_info = self._authenticate_local(
-                     context, auth)
+         if "token" in auth:
+             # Try to authenticate using a token
+             auth_info = self._authenticate_token(
+                 context, auth)
+         else:
+             # Try external authentication
+             try:
+                 auth_info = self._authenticate_external(
+                     context, auth)
+             except ExternalAuthNotApplicable:
+                 # Try local authentication
+                 auth_info = self._authenticate_local(
+                     context, auth)
  
  ...
-    def _authenticate_external(self, context, auth):
-         """Try to authenticate an external user via REMOTE_USER variable.
+    def _authenticate_external(self, context, auth):
+         """Try to authenticate an external user via REMOTE_USER variable.
  
-         Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
-         """
-         if 'REMOTE_USER' not in context.get('environment', {}):
-             raise ExternalAuthNotApplicable()
+         Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
+         """
+         if 'REMOTE_USER' not in context.get('environment', {}):
+             raise ExternalAuthNotApplicable()
  
-         #NOTE(jamielennox): xml and json differ and get confused about what
-         # empty auth should look like so just reset it.
-         if not auth:
-             auth = {}
+         #NOTE(jamielennox): xml and json differ and get confused about what
+         # empty auth should look like so just reset it.
+         if not auth:
+             auth = {}
  
-         username = context['environment']['REMOTE_USER']
-         try:
-             user_ref = self.identity_api.get_user_by_name(
-                 username, CONF.identity.default_domain_id)
-             user_id = user_ref['id']
-         except exception.UserNotFound as e:
-             raise exception.Unauthorized(e)
+         username = context['environment']['REMOTE_USER']
+         try:
+             user_ref = self.identity_api.get_user_by_name(
+                 username, CONF.identity.default_domain_id)
+             user_id = user_ref['id']
+         except exception.UserNotFound as e:
+             raise exception.Unauthorized(e)
  
-         metadata_ref = {}
-         tenant_id = self._get_project_id_from_auth(auth)
-         tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
-             user_id, tenant_id)
+         metadata_ref = {}
+         tenant_id = self._get_project_id_from_auth(auth)
+         tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
+             user_id, tenant_id)
  
-         expiry = core.default_expire_time()
-         bind = None
-         if ('kerberos' in CONF.token.bind and
-                 context['environment'].
-                 get('AUTH_TYPE', '').lower() == 'negotiate'):
-             bind = {'kerberos': username}
+         expiry = core.default_expire_time()
+         bind = None
+         if ('kerberos' in CONF.token.bind and
+                 context['environment'].
+                 get('AUTH_TYPE', '').lower() == 'negotiate'):
+             bind = {'kerberos': username}
  
-         return (user_ref, tenant_ref, metadata_ref, expiry, bind)
+         return (user_ref, tenant_ref, metadata_ref, expiry, bind)
  
- 
- The  _authenticate_external should not assume and have its own REMOTE_USER implementation,  instead it should look for the external method defined in keystone.conf and appropriately call the defined external class.
+ The  _authenticate_external should not assume and have its own
+ REMOTE_USER implementation,  instead it should look for the external
+ method defined in keystone.conf and appropriately call the defined
+ external class.
  
  The V3 call works fine and calls the right external class defined.
  curl -X POST -d '{"auth":{"identity":{"methods":["external"],"external":{}}}}'  -H "REMOTE_USER:admin" -H "Content-type: application/json" http://localhost:5000/v3/auth/tokens
  
  This is potentially a security hole as well, which will allow all V2
  API's to get Keystone token w/o password.

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  When keystone.conf is defined with external auth , all V2.0 API calls do
  not get intercepted by the defined external auth.
  
  this is my keystone.conf
  [auth]
  methods=password,token,external
  external=keystone.auth.plugins.idm_external.IDMDefaultDomain
  
  V.20 CURL to initiate external auth.
  curl -X POST -d '{"auth":{}}' -H "Content-type: application/json" -H "REMOTE_USER: admin" http://localhost:5000/v2.0/tokens
  
  What I'm seeing is the call gets to the keystone/token/controller.py,
  where it checks for the auth{} and executes the external authentication
  
          if "token" in auth:
              # Try to authenticate using a token
              auth_info = self._authenticate_token(
                  context, auth)
          else:
              # Try external authentication
              try:
                  auth_info = self._authenticate_external(
                      context, auth)
              except ExternalAuthNotApplicable:
                  # Try local authentication
                  auth_info = self._authenticate_local(
                      context, auth)
  
  ...
     def _authenticate_external(self, context, auth):
          """Try to authenticate an external user via REMOTE_USER variable.
  
          Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
          """
          if 'REMOTE_USER' not in context.get('environment', {}):
              raise ExternalAuthNotApplicable()
  
          #NOTE(jamielennox): xml and json differ and get confused about what
          # empty auth should look like so just reset it.
          if not auth:
              auth = {}
  
          username = context['environment']['REMOTE_USER']
          try:
              user_ref = self.identity_api.get_user_by_name(
                  username, CONF.identity.default_domain_id)
              user_id = user_ref['id']
          except exception.UserNotFound as e:
              raise exception.Unauthorized(e)
  
          metadata_ref = {}
          tenant_id = self._get_project_id_from_auth(auth)
          tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
              user_id, tenant_id)
  
          expiry = core.default_expire_time()
          bind = None
          if ('kerberos' in CONF.token.bind and
                  context['environment'].
                  get('AUTH_TYPE', '').lower() == 'negotiate'):
              bind = {'kerberos': username}
  
          return (user_ref, tenant_ref, metadata_ref, expiry, bind)
  
  The  _authenticate_external should not assume and have its own
  REMOTE_USER implementation,  instead it should look for the external
  method defined in keystone.conf and appropriately call the defined
  external class.
  
  The V3 call works fine and calls the right external class defined.
  curl -X POST -d '{"auth":{"identity":{"methods":["external"],"external":{}}}}'  -H "REMOTE_USER:admin" -H "Content-type: application/json" http://localhost:5000/v3/auth/tokens
  
  This is potentially a security hole as well, which will allow all V2
  API's to get Keystone token w/o password.

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1461728

Title:
  V2.0 API not calling defined external auth

Status in OpenStack Identity (Keystone):
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  When keystone.conf is defined with external auth , all V2.0 API calls
  do not get intercepted by the defined external auth.

  this is my keystone.conf
  [auth]
  methods=password,token,external
  external=keystone.auth.plugins.idm_external.IDMDefaultDomain

  V.20 CURL to initiate external auth.
  curl -X POST -d '{"auth":{}}' -H "Content-type: application/json" -H "REMOTE_USER: admin" http://localhost:5000/v2.0/tokens

  What I'm seeing is the call gets to the keystone/token/controller.py,
  where it checks for the auth{} and executes the external
  authentication

          if "token" in auth:
              # Try to authenticate using a token
              auth_info = self._authenticate_token(
                  context, auth)
          else:
              # Try external authentication
              try:
                  auth_info = self._authenticate_external(
                      context, auth)
              except ExternalAuthNotApplicable:
                  # Try local authentication
                  auth_info = self._authenticate_local(
                      context, auth)

  ...
     def _authenticate_external(self, context, auth):
          """Try to authenticate an external user via REMOTE_USER variable.

          Returns auth_token_data, (user_ref, tenant_ref, metadata_ref)
          """
          if 'REMOTE_USER' not in context.get('environment', {}):
              raise ExternalAuthNotApplicable()

          #NOTE(jamielennox): xml and json differ and get confused about what
          # empty auth should look like so just reset it.
          if not auth:
              auth = {}

          username = context['environment']['REMOTE_USER']
          try:
              user_ref = self.identity_api.get_user_by_name(
                  username, CONF.identity.default_domain_id)
              user_id = user_ref['id']
          except exception.UserNotFound as e:
              raise exception.Unauthorized(e)

          metadata_ref = {}
          tenant_id = self._get_project_id_from_auth(auth)
          tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
              user_id, tenant_id)

          expiry = core.default_expire_time()
          bind = None
          if ('kerberos' in CONF.token.bind and
                  context['environment'].
                  get('AUTH_TYPE', '').lower() == 'negotiate'):
              bind = {'kerberos': username}

          return (user_ref, tenant_ref, metadata_ref, expiry, bind)

  The  _authenticate_external should not assume and have its own
  REMOTE_USER implementation,  instead it should look for the external
  method defined in keystone.conf and appropriately call the defined
  external class.

  The V3 call works fine and calls the right external class defined.
  curl -X POST -d '{"auth":{"identity":{"methods":["external"],"external":{}}}}'  -H "REMOTE_USER:admin" -H "Content-type: application/json" http://localhost:5000/v3/auth/tokens

  This is potentially a security hole as well, which will allow all V2
  API's to get Keystone token w/o password.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1461728/+subscriptions