yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88793
[Bug 1971691] [NEW] Support application credentials as a source for EC2 auth
Public bug reported:
Unfortunately EC2 credentials are not secure enough. EC2 credentials are
not protected by limited roles, expiration time, access rules and ec2
secret part is visible via get/list API calls. Leaked EC2 credentials
imply a big security risk in terms of access, because EC2 creds token
has the same power as a regular user/pass auth.
EC2 AUTH is actively used by Swift S3 emulation (not limited only to
Swift, btw.) it would be nice to use application credentials as an auth
source in keystone internals and issue a limited access token. With all
features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
}
** Affects: keystone
Importance: Undecided
Status: New
** Tags: application credentials ec2
** Description changed:
Unfortunately EC2 credentials are not secure enough. EC2 credentials are
not protected by limited roles, expiration time, access rules and ec2
secret part is visible via get/list API calls. Leaked EC2 credentials
imply a big security risk in terms of access, because EC2 creds token
has the same power as a regular user/pass auth.
Hence EC2 AUTH is actively used by Swift S3 emulation (not limited only
to Swift, btw.) it would be nice to use application credentials as an
auth source in keystone internals and issue a limited access token. With
all features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
-
+ POST http://keystone:8080/v3/ec2tokens
{
- "credentials": {
- "access": "3defd466f04646d094a1ee4b6afc53e8",
- "body_hash": "***",
- "headers": {
- "Accept-Encoding": "identity",
- "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
- "Host": "keystone:8080",
- "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
- "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
- "X-Amz-Date": "20220505T101354Z",
- "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
- },
- "host": "",
- "params": {},
- "path": "/",
- "signature": "appCredSecretBasedSignature",
- "verb": "GET"
- }
+ "credentials": {
+ "access": "3defd466f04646d094a1ee4b6afc53e8",
+ "body_hash": "***",
+ "headers": {
+ "Accept-Encoding": "identity",
+ "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
+ "Host": "keystone:8080",
+ "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
+ "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+ "X-Amz-Date": "20220505T101354Z",
+ "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
+ },
+ "host": "",
+ "params": {},
+ "path": "/",
+ "signature": "appCredSecretBasedSignature",
+ "verb": "GET"
+ }
}
An example of EC2 auth token response with application credentials:
{
- "token": {
- "application_credential": {
- "access_rules": [
- {
- "id": "9416a34e7f3b45ecb029063d8a239463",
- "method": "GET",
- "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
- "service": "key-manager"
- }
- ],
- "id": "3defd466f04646d094a1ee4b6afc53e8",
- "name": "test",
- "restricted": true
- },
- "audit_ids": [
- "m6C3NgSiQmqQnrBRySYW2A"
- ],
- "catalog": [...],
- "expires_at": "2022-05-05T18:24:48.000000Z",
- "is_admin_project": false,
- "is_domain": false,
- "issued_at": "2022-05-05T10:24:48.000000Z",
- "methods": [
- "application_credential"
- ],
- "project": {
- "domain": {
- "id": "default",
- "name": "Default"
- },
- "id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
- "name": "test"
- },
- "roles": [
- {
- "id": "a66c3a324bc24c0da7259faa03f2704d",
- "name": "limited_role"
- }
- ],
- "user": {
- "domain": {
- "id": "default",
- "name": "Default"
- },
- "id": "0c4cac95c039441d9b8bb509fe836110",
- "name": "appCredOwner",
- "password_expires_at": "2022-09-07T18:13:38.126030"
- }
- }
+ "token": {
+ "application_credential": {
+ "access_rules": [
+ {
+ "id": "9416a34e7f3b45ecb029063d8a239463",
+ "method": "GET",
+ "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
+ "service": "key-manager"
+ }
+ ],
+ "id": "3defd466f04646d094a1ee4b6afc53e8",
+ "name": "test",
+ "restricted": true
+ },
+ "audit_ids": [
+ "m6C3NgSiQmqQnrBRySYW2A"
+ ],
+ "catalog": [...],
+ "expires_at": "2022-05-05T18:24:48.000000Z",
+ "is_admin_project": false,
+ "is_domain": false,
+ "issued_at": "2022-05-05T10:24:48.000000Z",
+ "methods": [
+ "application_credential"
+ ],
+ "project": {
+ "domain": {
+ "id": "default",
+ "name": "Default"
+ },
+ "id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
+ "name": "test"
+ },
+ "roles": [
+ {
+ "id": "a66c3a324bc24c0da7259faa03f2704d",
+ "name": "limited_role"
+ }
+ ],
+ "user": {
+ "domain": {
+ "id": "default",
+ "name": "Default"
+ },
+ "id": "0c4cac95c039441d9b8bb509fe836110",
+ "name": "appCredOwner",
+ "password_expires_at": "2022-09-07T18:13:38.126030"
+ }
+ }
}
** Description changed:
Unfortunately EC2 credentials are not secure enough. EC2 credentials are
not protected by limited roles, expiration time, access rules and ec2
secret part is visible via get/list API calls. Leaked EC2 credentials
imply a big security risk in terms of access, because EC2 creds token
has the same power as a regular user/pass auth.
- Hence EC2 AUTH is actively used by Swift S3 emulation (not limited only
- to Swift, btw.) it would be nice to use application credentials as an
- auth source in keystone internals and issue a limited access token. With
- all features application credentials provide, EC2 can get a second wind.
+ However EC2 AUTH is actively used by Swift S3 emulation (not limited
+ only to Swift, btw.) it would be nice to use application credentials as
+ an auth source in keystone internals and issue a limited access token.
+ With all features application credentials provide, EC2 can get a second
+ wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
}
** Description changed:
Unfortunately EC2 credentials are not secure enough. EC2 credentials are
not protected by limited roles, expiration time, access rules and ec2
secret part is visible via get/list API calls. Leaked EC2 credentials
imply a big security risk in terms of access, because EC2 creds token
has the same power as a regular user/pass auth.
- However EC2 AUTH is actively used by Swift S3 emulation (not limited
- only to Swift, btw.) it would be nice to use application credentials as
- an auth source in keystone internals and issue a limited access token.
- With all features application credentials provide, EC2 can get a second
- wind.
+ EC2 AUTH is actively used by Swift S3 emulation (not limited only to
+ Swift, btw.) it would be nice to use application credentials as an auth
+ source in keystone internals and issue a limited access token. With all
+ features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
}
** Summary changed:
- Add application credentials as a source for EC2 auth
+ Support application credentials as a source for EC2 auth
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1971691
Title:
Support application credentials as a source for EC2 auth
Status in OpenStack Identity (keystone):
New
Bug description:
Unfortunately EC2 credentials are not secure enough. EC2 credentials
are not protected by limited roles, expiration time, access rules and
ec2 secret part is visible via get/list API calls. Leaked EC2
credentials imply a big security risk in terms of access, because EC2
creds token has the same power as a regular user/pass auth.
EC2 AUTH is actively used by Swift S3 emulation (not limited only to
Swift, btw.) it would be nice to use application credentials as an
auth source in keystone internals and issue a limited access token.
With all features application credentials provide, EC2 can get a
second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1971691/+subscriptions
