← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1268751] Re: Potential token revocation abuse via group membership

 

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1268751

Title:
  Potential token revocation abuse via group membership

Status in OpenStack Identity (keystone):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  If a group is deleted, all tokens for all users that are a member of
  that group are revoked.  This leads to potential abuse:

  1.  A group admin adds a user to a group without users knowledge
  2. User creates token
  3. Admin  deletes group.  
  4.  All of the users tokens are revoked.

  Admittedly, this abuse must be instigated by a group admin, which is
  the global admin in the default policy file, but an alternative policy
  file could allow for the delegation of "add user to group" behavior.
  In such a system, this could act as a denial of service attack for a
  set of users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1268751/+subscriptions