yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan.fainberg@xxxxxxxxx>]

It is not a security vulnerability.

** Changed in: keystone
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/965502

Title:
  lack of service endpoint filtering for token validation can be a
  security vulnerability

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  There was a bug logged against Keystone Essex 3 for the potential
  security issue with service role conflicts.

  https://bugs.launchpad.net/keystone/+bug/890411

  Similarly, the lack of service endpoint ID filtering could also be a
  security issue. A service can have multiple endpoints (i.e. one in
  each geographic location). However, user may only allow to access a
  subset of the service endpoints based on authorization policy.
  Currently, there's no way to filter service endpoints during token
  validation.

  The following example illustrates the problem:

  1) user activates Compute in AZ1 for tenantId XYZ 
  2) user calls Compute endpoint in AZ2 passing tenantId XYZ in the URL 
  3) Nova will allow #2 because it currently only authenticates at the 'tenant' level and not down to the service endpoint

  To mitigate this problem, we need to introduce optional service
  endpoint filtering capability for token validation and EC2 signature
  validation, much the same way as service ID filtering in bug 890411.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/965502/+subscriptions