openstack/security-analysis
Code Issues Proposed changes
Files
ac43025
security-analysis/doc/source/artifacts/keystonemiddleware/pike/architecture-page.rst
Andreas Jaeger 18361b3ca8 Switch to newer openstackdocstheme version 
Switch to openstackdocstheme 2.2.1 version. Using
this version will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems

Update Sphinx version as well.

Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html

Update to use openstackdocstheme, cleanup setup.cfg, tox.ini for
python3.

Fix build problems with newer Sphinx.

Change-Id: I433dee9372af6e477d96ded8cb93bc04f85e209d
2020-06-03 21:21:27 +02:00

2.7 KiB
Raw Blame History

Architecture page

keystonemiddleware architecture - 4.17.1/pike

Status: Draft/Ready for Review/Reviewed

Release: Pike

Version: 4.17.1

Contacts:

  • PTL: Lance Bragstad - lbragstad
  • Architect: Gage Hugo - gagehugo
  • Security Reviewer: Luke Hinds - lhinds
  • Security Reviewer: Jeremy Stanley - fungi

Project description and purpose

keystonemiddleware1 is primarily used for integrating with the OpenStack Identity API2 and handling authorization enforcement based upon the data within the OpenStack Identity tokens. Also included is middleware that provides the ability to create audit events based on API requests.

Primary users and use-cases

The primary users of keystonemiddleware are other services within an OpenStack deployment that require identity information supplied from OpenStack Identity (keystone).

External dependencies & associated security assumptions

keystonemiddleware depends on having an OpenStack Identity (keystone)3 endpoint. Without an Identity endpoint, there is not much use for keystonemiddleware. It also depends on having a service configuration for the service that it is protecting.

Components

  • OpenStack Identity - keystone (Python)
  • memcache (optional)

Service architecture diagram

image

Architecture Page4

Data assets

  • Authorization Tokens - persisted in memcache
  • memcache encryption keys - persisted in keystonemiddleware.conf

Data asset impact analysis

Data Assets: - Authorization Token:

  • Integrity Failure Impact: Attacker that can capture and hijack a valid auth token can get access to anything scoped to the token.
  • keystonemiddleware.conf:
    • Integrity Failure Impact: Attacker who can read the config file can gain access to the memcache encryption key, which can allow them to access and modify all cached tokens.

Interfaces

  1. User -> KeystoneMiddleware [TLS]:
    • Assets in flight: keystone Token
    • An attacker who can successfully intercept the token can modify anything that the token is scoped to. This has potential availability impact.

Resources

  1. https://docs.openstack.org/developer/keystonemiddleware/#python-middleware-for-openstack-identity-api-keystone↩︎

  2. <https://docs.openstack.org/developer/keystone/index.html>↩︎

  3. <https://docs.openstack.org/developer/keystone/index.html>↩︎

  4. <https://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html>↩︎