yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #58830
[Bug 1268751] Re: Potential token revocation abuse via group membership
** Changed in: keystone
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1268751
Title:
Potential token revocation abuse via group membership
Status in OpenStack Identity (keystone):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
If a group is deleted, all tokens for all users that are a member of
that group are revoked. This leads to potential abuse:
1. A group admin adds a user to a group without users knowledge
2. User creates token
3. Admin deletes group.
4. All of the users tokens are revoked.
Admittedly, this abuse must be instigated by a group admin, which is
the global admin in the default policy file, but an alternative policy
file could allow for the delegation of "add user to group" behavior.
In such a system, this could act as a denial of service attack for a
set of users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1268751/+subscriptions