[Openstack-security] [Bug 1071815] Re: auth_token middleware does not check if an endpoint is in the service catalog
This is not part of the scope of keystonemiddleware. We do not deny
based up on the endpoint/catalog.
** Changed in: keystonemiddleware
Status: Triaged => Won't Fix
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
auth_token middleware does not check if an endpoint is in the service
Status in keystonemiddleware:
We include the catalog in the token, but it is not checked. Thus, a
token that is intended for a subset of the endpoints can be used on
additional endpoints. This prevents a user from creating a token
specific to an endpoint. The comparable mechanism is service tickets
in Kerberos. If a rogue service gets a ticket in Kerberos, it cannot
reuse that ticket elsewhere. WIth the current token scheme, all
tokens on a compromised server are at risk of being abused throughout
an openstack deployment.
To manage notifications about this bug go to: