security-doc/security-notes/OSSN-0009
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

47 lines
2.1 KiB
Plaintext

Potential token revocation abuse via group membership
---
### Summary ###
Deletion of groups in Keystone causes token revocation for group
members. If group capabilities are delegated to users, they can abuse
those capabilities to maliciously revoke tokens for other users.
### Affected Services / Software ###
Keystone, Grizzly, Havana, Icehouse
### Discussion ###
If a group is deleted from Keystone, all tokens for all users that are
members of that group are revoked. By adding users to a group without
those users' knowledge and then deleting that group, a group admin can
revoke all of the users' tokens. While the default policy file gives
the group admin role to global admin, an alternative policy could
delegate the "create_group", "add_user_to_group", and "delete_group"
capabilities to a set of users. In such a system, those users will also
get a token revocation capability. Only setups using a custom policy
file in Keystone are affected.
### Recommended Actions ###
Keystone's default policy.json file uses the "admin_required" rule for
the "create_group", "delete_group", and "add_user_to_group"
capabilities. It is recommended that you use this default configuration
if possible. Here is an example snippet of a properly configured
policy.json file:
---- begin example policy.json snippet ----
"identity:create_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
---- end example policy.json snippet ----
If you need to delegate the above capabilities to non-admin users, you
need to take into account that those users will be able to revoke
tokens for other users by performing group deletion operations. You
should take caution with who you delegate these capabilities to.
### Contacts / References ###
Author: Nathan Kinder, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0009
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1268751
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg