From 5380798f052eaebc023271c90d65b8f6d6fa6331 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Tue, 1 Apr 2014 18:44:25 -0700 Subject: [PATCH] Add OSSN-0009 - Potential token revocation abuse via group membership This adds OSSN-0009, which covers an issue related to the ability for a user to to abuse group operations in Keystone to trigger revocation of tokens for other users. Change-Id: Ic59048442a78fd37b4dcb608ee1a468af70fa82d Related-Bug: #1268751 --- notes/OSSN-0009 | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 notes/OSSN-0009 diff --git a/notes/OSSN-0009 b/notes/OSSN-0009 new file mode 100644 index 0000000..8b1c873 --- /dev/null +++ b/notes/OSSN-0009 @@ -0,0 +1,45 @@ +Potential token revocation abuse via group membership +--- + +### Summary ### +Deletion of groups in Keystone causes token revocation for group +members. If group capabilities are delegated to users, they can abuse +those capabilities to maliciously revoke tokens for other users. + +### Affected Services / Software ### +Keystone, Grizzly, Havana, Icehouse + +### Discussion ### +If a group is deleted from Keystone, all tokens for all users that are +members of that group are revoked. By adding users to a group without +those users' knowledge and then deleting that group, a group admin can +revoke all of the users' tokens. While the default policy file gives +the group admin role to global admin, an alternative policy could +delegate the "create_group", "add_user_to_group", and "delete_group" +capabilities to a set of users. In such a system, those users will also +get a token revocation capability. Only setups using a custom policy +file in Keystone are affected. + +### Recommended Actions ### +Keystone's default policy.json file uses the "admin_required" rule for +the "create_group", "delete_group", and "add_user_to_group" +capabilities. It is recommended that you use this default configuration +if possible. Here is an example snippet of a properly configured +policy.json file: + +---- begin example policy.json snippet ---- + "identity:create_group": "rule:admin_required", + "identity:delete_group": "rule:admin_required", + "identity:add_user_to_group": "rule:admin_required", +---- end example policy.json snippet ---- + +If you need to delegate the above capabilities to non-admin users, you +need to take into account that those users will be able to revoke +tokens for other users by performing group deletion operations. You +should take caution with who you delegate these capabilities to. + +### Contacts / References ### +This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0009 +Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1268751 +OpenStack Security ML : openstack-security@lists.openstack.org +OpenStack Security Group : https://launchpad.net/~openstack-ossg