yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1545789] [NEW] keystone ADMIN_TOKEN set by default can lead to default insecure deployment

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Mon, 15 Feb 2016 16:45:51 -0000
Reply-to: Bug 1545789 <1545789@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

The Keystone configuration sets the ADMIN_TOKEN option to "ADMIN" by
default, which means that unless the deployment specifically changes
this value to a secure value, the filter "admin_auth_token" will accept
the value of "ADMIN" as an all-access administrative token for the
openstack deployment (when interacting with keystone).

https://github.com/openstack/keystone/blob/406fbfaa2689255fb54cf1eb07403f392c735c53/keystone/common/config.py#L49-L56

The fix will be to make this value "None" by default, and if the option
is unset, the "admin_token_auth" filter will simply pass, continuing to
allow normal credentials to work.

This is a CLASS B1 (my assessment) https://security.openstack.org/vmt-
process.html#incident-report-taxonomy

This bug was opened so we can issue an OSSA/OSSN with the fix.

** Affects: keystone
     Importance: Medium
     Assignee: Adam Young (ayoung)
         Status: Triaged

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1545789

Title:
  keystone ADMIN_TOKEN set by default can lead to default insecure
  deployment

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  The Keystone configuration sets the ADMIN_TOKEN option to "ADMIN" by
  default, which means that unless the deployment specifically changes
  this value to a secure value, the filter "admin_auth_token" will
  accept the value of "ADMIN" as an all-access administrative token for
  the openstack deployment (when interacting with keystone).

  https://github.com/openstack/keystone/blob/406fbfaa2689255fb54cf1eb07403f392c735c53/keystone/common/config.py#L49-L56

  The fix will be to make this value "None" by default, and if the
  option is unset, the "admin_token_auth" filter will simply pass,
  continuing to allow normal credentials to work.

  This is a CLASS B1 (my assessment) https://security.openstack.org/vmt-
  process.html#incident-report-taxonomy

  This bug was opened so we can issue an OSSA/OSSN with the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1545789/+subscriptions

Follow ups

[Bug 1545789] Re: keystone ADMIN_TOKEN set by default can lead to default insecure deployment
From: Robert Clark, 2016-08-17
[Bug 1545789] Re: keystone ADMIN_TOKEN set by default can lead to default insecure deployment
From: Steve Martinelli, 2016-02-19
[Bug 1545789] Re: keystone ADMIN_TOKEN set by default can lead to default insecure deployment
From: Tristan Cacqueray, 2016-02-15