osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1071815] Re: auth_token middleware does not check if an endpoint is in the service catalog


This is not part of the scope of keystonemiddleware. We do not deny
based up on the endpoint/catalog.

** Changed in: keystonemiddleware
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1071815

Title:
  auth_token middleware does not check if an endpoint is in the service
  catalog

Status in keystonemiddleware:
  Won't Fix

Bug description:
  We include the catalog in the token, but it is not checked.  Thus, a
  token that is intended for a subset of the endpoints can be used on
  additional endpoints.  This prevents a user from creating a token
  specific to an endpoint.  The comparable mechanism is service tickets
  in Kerberos.  If a rogue service gets a ticket in Kerberos, it cannot
  reuse that ticket elsewhere.  WIth the current token scheme, all
  tokens on a  compromised server are at risk of being abused throughout
  an openstack deployment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1071815/+subscriptions