yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1545789] Re: keystone ADMIN_TOKEN set by default can lead to default insecure deployment

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Mon, 15 Feb 2016 18:43:10 -0000
Reply-to: Bug 1545789 <1545789@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Agreed on the B1 (insecure default value), and I added an OSSN task for an eventual Security Note.
Thank!

** Also affects: ossn
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1545789

Title:
  keystone ADMIN_TOKEN set by default can lead to default insecure
  deployment

Status in OpenStack Identity (keystone):
  Triaged
Status in OpenStack Security Notes:
  New

Bug description:
  The Keystone configuration sets the ADMIN_TOKEN option to "ADMIN" by
  default, which means that unless the deployment specifically changes
  this value to a secure value, the filter "admin_auth_token" will
  accept the value of "ADMIN" as an all-access administrative token for
  the openstack deployment (when interacting with keystone).

  https://github.com/openstack/keystone/blob/406fbfaa2689255fb54cf1eb07403f392c735c53/keystone/common/config.py#L49-L56

  The fix will be to make this value "None" by default, and if the
  option is unset, the "admin_token_auth" filter will simply pass,
  continuing to allow normal credentials to work.

  This is a CLASS B1 (my assessment) https://security.openstack.org/vmt-
  process.html#incident-report-taxonomy

  This bug was opened so we can issue an OSSA/OSSN with the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1545789/+subscriptions

References

[Bug 1545789] [NEW] keystone ADMIN_TOKEN set by default can lead to default insecure deployment
From: Morgan Fainberg, 2016-02-15