yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1499555] Re: You can crash keystone or make the DB very slow by assigning many roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Fri, 16 Oct 2015 18:03:37 -0000
Reply-to: Bug 1499555 <1499555@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1499555

Title:
  You can crash keystone or make the DB very slow by assigning many
  roles

Status in Keystone:
  Triaged
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  This is applicable for UUID and PKI tokens.

  Token table has extra column where we store role information.  It is a
  blob with 64K limit. Basically we can do the following to fill the
  BLOB

     Say user is U, and Project is P
     for i =1  to  1000 ( or any large number)
          role x = create role i  with some large name
          assign role x for user U and Project P
         create a project scoped token for user U

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1499555/+subscriptions

References

[Bug 1499555] [NEW] You can crash keystone or make the DB very slow by assigning many roles
From: Haneef Ali, 2015-09-24