security-doc/security-notes/OSSN-0032
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

44 lines
1.8 KiB
Plaintext

Disabling a tenant does not disable a user token
---
### Summary ###
When a tenant is disabled in Keystone, tokens that have been issued to
that tenant are not invalidated. This can result in users having access
to your cloud after you have attempted to revoke them.
### Affected Services / Software ###
Keystone, Folsom, Grizzly
### Discussion ###
Keystone does not purge the tokens given out to tenants when a tenant
is disabled. In some scenarios this could be very important to cloud
providers. Take the case where a cloud provider must revoke a tenant's
access because of some legal investigation. Even though the tenant is
disabled it would be possible for them to terminate VMs / delete Swift
files etc. There are many other abuse-cases.
### Recommended Actions ###
This issue has been fixed in the OpenStack Havana release. The fix has
also been backported to OpenStack Grizzly as a part of the 2013.1.4
Keystone release.
How the tokens are stored depends on your cloud deployment. If you
deploy using Memcached to back Keystone then flushing the cache when
disabling a token would resolve this issue for you, at the cost of other
token lookups which are no longer in the cache requiring Keystone
interaction.
It is of course possible to script something to remove tokens from any
backend DB or cache, but there is no 'official' way to do this.
NOTE: Flushing Memcached can result in losing token revocation
information as addressed in https://bugs.launchpad.net/ossn/+bug/1182920
### Contacts / References ###
Author: Robert Clark, HP
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0032
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1179955
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
CVE: CVE-2013-4222