yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1656076] Re: The keystone server auth pluigin methods could mismatch user_id in auth_context

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Thu, 12 Jan 2017 23:25:11 -0000
Reply-to: Bug 1656076 <1656076@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystone
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

** Also affects: keystone/newton
   Importance: Undecided
       Status: New

** Also affects: keystone/mitaka
   Importance: Undecided
       Status: New

** Also affects: keystone/ocata
   Importance: Medium
     Assignee: Morgan Fainberg (mdrnstm)
       Status: Triaged

** Changed in: keystone/newton
       Status: New => Triaged

** Changed in: keystone/newton
   Importance: Undecided => Medium

** Changed in: keystone/mitaka
       Status: New => Triaged

** Changed in: keystone/mitaka
   Importance: Undecided => Medium

** Changed in: keystone/mitaka
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

** Changed in: keystone/newton
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  Triaged
Status in OpenStack Identity (keystone) mitaka series:
  Triaged
Status in OpenStack Identity (keystone) newton series:
  Triaged
Status in OpenStack Identity (keystone) ocata series:
  Triaged

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions

References

[Bug 1656076] [NEW] The keystone server auth pluigin methods could mismatch user_id in auth_context
From: Morgan Fainberg, 2017-01-12