-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keystone token scoping provides no security benefit - ---
### Summary ### Keystone provides "scoped" tokens that are constrained to use by a single project. A user may expect that their scoped token can only be used to perform operations for the project it is scoped to, which is not the case. A service or other party who obtains the scoped token can use it to obtain a token for a different authorized scope, which may be considered a privilege escalation. ### Affected Services / Software ### Keystone, Diablo, Essex, Folsom, Grizzly, Havana, Icehouse, Juno, Kilo ### Discussion ### This is not a bug in keystone, it's a design feature that some users may expect to bring security enhancement when it does not. The OSSG is issuing this security note to highlight the issue. Many operations in OpenStack will take a token from the user and pass it to another service to perform some portion of the intended operation. This token is very powerful and can be used to perform many actions for the user. Scoped tokens appear to limit their use to the project and roles they were granted for but can also be used to request tokens with other scopes. It's important to note that this only works with currently valid tokens. Once a token expires it cannot be used to gain a new token. Token scoping helps avoid accidental leakage of tokens because using tokens with other services requires the extra step of requesting a new re-scoped token from keystone. Scoping can help with audit trails and promote good code practices. There's currently no way to create a tightly scoped token that cannot be used to request a re-scoped token. A scoped token cannot be relied upon to restrict actions to only that scope. ### Recommended Action ### Users and deployers of OpenStack must not rely on the scope of tokens to limit what actions can be performed using them. Concerned users are encouraged to read (OSSG member) Nathan Kinder's blog post on this issue and some of the potential future solutions. ### Contacts / References ### Nathan Kinder on Token Scoping : https://blog-nkinder.rhcloud.com/?p=101 This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0042 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1341816 OpenStack Security ML : [email protected] OpenStack Security Group : https://launchpad.net/~openstack-ossg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUkazSAAoJEJa+6E7Ri+EVwCoIAINTtZHphJp++r1i7CwAJ+TD LUyLIFv7poe6Ni8LeF3KYLm4HgjSO8lj8G/KALHsteWt5iteu0AxXzYa4WYYdcyt 8RkZOg2/x97vbwkM3wwJ3e9CfebDrOmsQ4BefiRGH+9UKIzbAgoLQ8Xya0XZrIUd 21EAy1qF1TSaiP2coIVCKo5mwzneBJxkQU5EJnMMWxsnYYdcL7SxTEhPwA73712S gWk6tlt959e6LpJaddKDAmIIxIXYhmrVFKvl7y/XHRZPdKhaz0rfC6Up/9MVthhL LGEOzRMJ4oF6IjfSi94dFC9CLtGm8s8l812Or9hvzudBU1ZfJbPIOJ1PAGFHWb8= =Z3dN -----END PGP SIGNATURE----- _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
