yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1649446] Re: Non-Admin Access to Revocation Events

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1649446@xxxxxxxxxxxxxxxxxx>
Date: Tue, 10 Jan 2017 06:12:24 -0000
Reply-to: Bug 1649446 <1649446@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/416841
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d4a890a6c8bd6927e229f4b665a982a51c130073
Submitter: Jenkins
Branch:    master

commit d4a890a6c8bd6927e229f4b665a982a51c130073
Author: Steve Martinelli <s.martinelli@xxxxxxxxx>
Date:   Thu Jan 5 00:41:34 2017 -0500

    listing revoke events should be admin only
    
    Currently any user can list revocation events, this data contains
    IDs for users and projects. It should not be made available to
    any user that is able to authenticate, it should be an admin
    only API call.
    
    Change-Id: I4290163c67c84ef0e1a2f6ee967ddf2acb2c3212
    Closes-Bug: 1649446


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1649446

Title:
  Non-Admin Access to Revocation Events

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  With the default Keystone policy any authed user can list all revocation events for the cluster:
  https://github.com/openstack/keystone/blob/master/etc/policy.json#L179

  This can be done by directly calling the API as such:
  curl -g -i -X GET http://localhost/identity/v3/OS-REVOKE/events -H "Accept: application/json" -H "X-Auth-Token: <non_admin_token_goes_here>"

  and this will provide you with a normal revocation event list (see
  attachment).

  This will allow a user to over time collect a list of user_ids and
  project_ids. The project_ids aren't particularly useful, but the
  user_ids can be used to lock people of of their accounts. Or if rate
  limiting is not setup (a bad idea), or somehow bypassed, would allow
  someone to brute force access to those ids.

  Knowing the ids is no worse than knowing the usernames, but as a non-
  admin you shouldn't have access to such a list anyway.

  It is also worth noting that OpenStack policy files are rife with
  these blank policy rules, not just Keystone. Some are safe and
  intended to be accessible by any authed user, others are checked at
  the code layer, but there may be other rules that are unsafe to expose
  to any authed user and as such should actually default to
  "rule:admin_required" or something other than blank.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1649446/+subscriptions