openstack-attic/openstack-security-notes
Code Issues Proposed changes
c6d62a198a
openstack-security-notes/notes/OSSN-0009
Nathan Kinder 5380798f05 Add OSSN-0009 - Potential token revocation abuse via group membership 
This adds OSSN-0009, which covers an issue related to the ability
for a user to to abuse group operations in Keystone to trigger
revocation of tokens for other users.

Change-Id: Ic59048442a78fd37b4dcb608ee1a468af70fa82d
Related-Bug: #1268751
2014-04-01 19:48:58 -07:00

46 lines
2.0 KiB
Plaintext
Raw Blame History

Potential token revocation abuse via group membership
---
### Summary ###
Deletion of groups in Keystone causes token revocation for group
members. If group capabilities are delegated to users, they can abuse
those capabilities to maliciously revoke tokens for other users.
### Affected Services / Software ###
Keystone, Grizzly, Havana, Icehouse
### Discussion ###
If a group is deleted from Keystone, all tokens for all users that are
members of that group are revoked. By adding users to a group without
those users' knowledge and then deleting that group, a group admin can
revoke all of the users' tokens. While the default policy file gives
the group admin role to global admin, an alternative policy could
delegate the "create_group", "add_user_to_group", and "delete_group"
capabilities to a set of users. In such a system, those users will also
get a token revocation capability. Only setups using a custom policy
file in Keystone are affected.
### Recommended Actions ###
Keystone's default policy.json file uses the "admin_required" rule for
the "create_group", "delete_group", and "add_user_to_group"
capabilities. It is recommended that you use this default configuration
if possible. Here is an example snippet of a properly configured
policy.json file:
---- begin example policy.json snippet ----
"identity:create_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
---- end example policy.json snippet ----
If you need to delegate the above capabilities to non-admin users, you
need to take into account that those users will be able to revoke
tokens for other users by performing group deletion operations. You
should take caution with who you delegate these capabilities to.
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0009
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1268751
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
View Git Blame Copy Permalink