yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1071815] Re: auth_token middleware does not check if an endpoint is in the service catalog

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Wed, 02 Mar 2016 16:41:02 -0000
Reply-to: Bug 1071815 <1071815@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Project changed: keystone => keystonemiddleware

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1071815

Title:
  auth_token middleware does not check if an endpoint is in the service
  catalog

Status in keystonemiddleware:
  Triaged

Bug description:
  We include the catalog in the token, but it is not checked.  Thus, a
  token that is intended for a subset of the endpoints can be used on
  additional endpoints.  This prevents a user from creating a token
  specific to an endpoint.  The comparable mechanism is service tickets
  in Kerberos.  If a rogue service gets a ticket in Kerberos, it cannot
  reuse that ticket elsewhere.  WIth the current token scheme, all
  tokens on a  compromised server are at risk of being abused throughout
  an openstack deployment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1071815/+subscriptions