Potential token revocation abuse via group membership --- ### Summary ### Deletion of groups in Keystone causes token revocation for group members. If group capabilities are delegated to users, they can abuse those capabilities to maliciously revoke tokens for other users. ### Affected Services / Software ### Keystone, Grizzly, Havana, Icehouse ### Discussion ### If a group is deleted from Keystone, all tokens for all users that are members of that group are revoked. By adding users to a group without those users' knowledge and then deleting that group, a group admin can revoke all of the users' tokens. While the default policy file gives the group admin role to global admin, an alternative policy could delegate the "create_group", "add_user_to_group", and "delete_group" capabilities to a set of users. In such a system, those users will also get a token revocation capability. Only setups using a custom policy file in Keystone are affected. ### Recommended Actions ### Keystone's default policy.json file uses the "admin_required" rule for the "create_group", "delete_group", and "add_user_to_group" capabilities. It is recommended that you use this default configuration if possible. Here is an example snippet of a properly configured policy.json file: ---- begin example policy.json snippet ---- "identity:create_group": "rule:admin_required", "identity:delete_group": "rule:admin_required", "identity:add_user_to_group": "rule:admin_required", ---- end example policy.json snippet ---- If you need to delegate the above capabilities to non-admin users, you need to take into account that those users will be able to revoke tokens for other users by performing group deletion operations. You should take caution with who you delegate these capabilities to. ### Contacts / References ### Author: Nathan Kinder, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0009 Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1268751 OpenStack Security ML : openstack-security@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg