yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61788
[Bug 1649446] Re: Non-Admin Access to Revocation Events
** Changed in: charm-keystone
Status: New => Fix Committed
** Changed in: charm-keystone
Assignee: (unassigned) => Frode Nordahl (fnordahl)
** Changed in: keystone (Juju Charms Collection)
Status: Fix Committed => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1649446
Title:
Non-Admin Access to Revocation Events
Status in OpenStack keystone charm:
Fix Committed
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Status in keystone package in Juju Charms Collection:
Invalid
Bug description:
With the default Keystone policy any authed user can list all revocation events for the cluster:
https://github.com/openstack/keystone/blob/master/etc/policy.json#L179
This can be done by directly calling the API as such:
curl -g -i -X GET http://localhost/identity/v3/OS-REVOKE/events -H "Accept: application/json" -H "X-Auth-Token: <non_admin_token_goes_here>"
and this will provide you with a normal revocation event list (see
attachment).
This will allow a user to over time collect a list of user_ids and
project_ids. The project_ids aren't particularly useful, but the
user_ids can be used to lock people of of their accounts. Or if rate
limiting is not setup (a bad idea), or somehow bypassed, would allow
someone to brute force access to those ids.
Knowing the ids is no worse than knowing the usernames, but as a non-
admin you shouldn't have access to such a list anyway.
It is also worth noting that OpenStack policy files are rife with
these blank policy rules, not just Keystone. Some are safe and
intended to be accessible by any authed user, others are checked at
the code layer, but there may be other rules that are unsafe to expose
to any authed user and as such should actually default to
"rule:admin_required" or something other than blank.
To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone/+bug/1649446/+subscriptions