1bf55f1eb0
All OSSN authors, added under the "Author:" metadata field Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a Closes-Bug: #1599064
47 lines
2.1 KiB
Plaintext
47 lines
2.1 KiB
Plaintext
Potential token revocation abuse via group membership
|
|
---
|
|
|
|
### Summary ###
|
|
Deletion of groups in Keystone causes token revocation for group
|
|
members. If group capabilities are delegated to users, they can abuse
|
|
those capabilities to maliciously revoke tokens for other users.
|
|
|
|
### Affected Services / Software ###
|
|
Keystone, Grizzly, Havana, Icehouse
|
|
|
|
### Discussion ###
|
|
If a group is deleted from Keystone, all tokens for all users that are
|
|
members of that group are revoked. By adding users to a group without
|
|
those users' knowledge and then deleting that group, a group admin can
|
|
revoke all of the users' tokens. While the default policy file gives
|
|
the group admin role to global admin, an alternative policy could
|
|
delegate the "create_group", "add_user_to_group", and "delete_group"
|
|
capabilities to a set of users. In such a system, those users will also
|
|
get a token revocation capability. Only setups using a custom policy
|
|
file in Keystone are affected.
|
|
|
|
### Recommended Actions ###
|
|
Keystone's default policy.json file uses the "admin_required" rule for
|
|
the "create_group", "delete_group", and "add_user_to_group"
|
|
capabilities. It is recommended that you use this default configuration
|
|
if possible. Here is an example snippet of a properly configured
|
|
policy.json file:
|
|
|
|
---- begin example policy.json snippet ----
|
|
"identity:create_group": "rule:admin_required",
|
|
"identity:delete_group": "rule:admin_required",
|
|
"identity:add_user_to_group": "rule:admin_required",
|
|
---- end example policy.json snippet ----
|
|
|
|
If you need to delegate the above capabilities to non-admin users, you
|
|
need to take into account that those users will be able to revoke
|
|
tokens for other users by performing group deletion operations. You
|
|
should take caution with who you delegate these capabilities to.
|
|
|
|
### Contacts / References ###
|
|
Author: Nathan Kinder, Red Hat
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0009
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1268751
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|