openstack/security-doc
Code Issues Proposed changes

Fix formatting errors in OSSN-0053

Browse Source 
Some of the section headers in OSSN-0053 don't match the header
style from the template.  This can cause problems with any tools
designed to parse an OSSN.  In addition, one of the references
needed to be capitalized.

Change-Id: Ia12f85d659e685fb217b51dcb4b29f215632835c
This commit is contained in:
Nathan Kinder 2015-09-23 12:24:59 -07:00
parent c4594a94e4
commit cdd88606a9
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
security-notes/OSSN-0053
View File

@ -9,10 +9,10 @@ With a valid token an attacker will be able to issue new tokens that
may be used to create trusts between the originating user and a new
user.
#### Affected Services / Software ###
### Affected Services / Software ###
Keystone, Grizzly, Havana, Icehouse, Juno, Kilo
#### Discussion ###
### Discussion ###
If a service node is compromised, an attacker now has access to every
token that passes through that node. By default, a Keystone token can
be exchanged for another token, and there is no restriction on scoping
@ -35,7 +35,7 @@ from trusts created through intercepted tokens.
This behavior is intrinsic to the bearer token model used within
Keystone / OpenStack.
#### Recommended Actions ###
### Recommended Actions ###
The following steps are recommended to reduce exposure, based on the
granularity and accepted level of risk in a given environment:
@ -55,12 +55,12 @@ a single token for the whole workload, and take more than one hour, so
installations have increased token lifespans back to the old value of
24 hours - increasing their exposure to this issue.
#### Contacts / References ###
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0053
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1455582
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Hierarchical Roles : https://review.openstack.org/#/c/125704
Policy by URL : https://review.openstack.org/#/c/192422
unified policy file : https://review.openstack.org/#/c/134656
Unified policy file : https://review.openstack.org/#/c/134656
Endpoint_ID from URL : https://review.openstack.org/#/c/199844