openstack/keystone
Code Issues Proposed changes
OpenStack Identity (Keystone)
14,472 Commits 10 Branches 45 Tags 235 MiB
Python 99.5%
Shell 0.5%
ab89ea7490
Go to file
Colleen Murphy ab89ea7490 Check timestamp of signed EC2 token request 
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.

The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].

Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.

[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html

Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
2020-04-28 11:45:24 -07:00
api-ref/source Merge "Expiring Group Memberships API - Allow set idp authorization_ttl" 2020-04-10 09:37:50 +00:00
config-generator Move policy generator config to config-generator/ 2017-04-21 21:47:32 +00:00
devstack Add openstack_groups to assertion 2020-03-19 20:14:41 +05:30
doc Merge "Update contributors document keystone" 2020-04-18 03:38:56 +00:00
etc Remove policy.v3cloudsample.json 2019-10-02 20:26:05 +00:00
examples/pki Remove support for PKI and PKIz tokens 2016-11-01 22:05:01 +00:00
httpd Remove admin interface in sample Apache file 2018-03-24 12:56:02 +01:00
keystone Check timestamp of signed EC2 token request 2020-04-28 11:45:24 -07:00
keystone_tempest_plugin Replace git.openstack.org URLs with opendev.org URLs 2019-04-24 11:51:00 +08:00
playbooks/legacy/keystone-dsvm-grenade-multinode Migrate grenade jobs to py3 2019-11-19 22:26:54 +00:00
rally-jobs fix rally docs url 2018-05-21 16:24:51 +08:00
releasenotes Check timestamp of signed EC2 token request 2020-04-28 11:45:24 -07:00
tools Re-enable line-length linter 2019-10-21 08:48:47 -07:00
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:27:58 +00:00
.gitignore Tell reno to ignore the kilo branch 2020-02-21 13:51:02 -05:00
.gitreview OpenDev Migration Patch 2019-04-19 19:30:29 +00:00
.mailmap update mailmap with gyee's new email 2015-11-03 16:12:01 -08:00
.stestr.conf Migrate to stestr 2017-09-22 11:07:09 -05:00
.zuul.yaml Merge "Copy shibboleth logs in federation jobs" 2020-03-17 20:30:27 +00:00
babel.cfg setting up babel for i18n work 2012-06-21 18:03:09 -07:00
bindep.txt Fix bindep for SUSE 2019-02-14 16:50:33 +01:00
CONTRIBUTING.rst Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
HACKING.rst Merge "Update links in keystone" 2017-10-06 16:10:56 +00:00
LICENSE Added Apache 2.0 License information. 2012-02-15 17:48:33 -08:00
lower-constraints.txt Parse cli args in get_enforcer 2020-03-23 22:16:58 +00:00
README.rst Merge "Add Source links to readme" 2019-12-17 08:52:57 +00:00
reno.yaml Tell reno to ignore the kilo branch 2020-02-21 13:51:02 -05:00
requirements.txt Merge "Parse cli args in get_enforcer" 2020-04-22 11:06:04 +00:00
setup.cfg Cleanup py27 support 2020-04-08 08:37:30 +02:00
setup.py Cleanup py27 support 2020-04-08 08:37:30 +02:00
test-requirements.txt Update hacking for Python3 2020-04-15 07:17:58 +02:00
tox.ini Merge "Update hacking for Python3" 2020-04-25 10:21:07 +00:00

README.rst

OpenStack Keystone

image

OpenStack Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API reference and documentation are available at:

https://docs.openstack.org/api-ref/identity

The canonical client library is available at:

https://opendev.org/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://opendev.org/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Release notes is available at:

https://docs.openstack.org/releasenotes/keystone

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs

Contributors are encouraged to join IRC (#openstack-keystone on freenode):

https://wiki.openstack.org/wiki/IRC

Source for the project:

https://opendev.org/openstack/keystone

For information on contributing to Keystone, see CONTRIBUTING.rst.