44 lines
1.8 KiB
Plaintext
44 lines
1.8 KiB
Plaintext
Disabling a tenant does not disable a user token
|
|
---
|
|
|
|
### Summary ###
|
|
When a tenant is disabled in Keystone, tokens that have been issued to
|
|
that tenant are not invalidated. This can result in users having access
|
|
to your cloud after you have attempted to revoke them.
|
|
|
|
### Affected Services / Software ###
|
|
Keystone, Folsom, Grizzly
|
|
|
|
### Discussion ###
|
|
Keystone does not purge the tokens given out to tenants when a tenant
|
|
is disabled. In some scenarios this could be very important to cloud
|
|
providers. Take the case where a cloud provider must revoke a tenant's
|
|
access because of some legal investigation. Even though the tenant is
|
|
disabled it would be possible for them to terminate VMs / delete Swift
|
|
files etc. There are many other abuse-cases.
|
|
|
|
### Recommended Actions ###
|
|
This issue has been fixed in the OpenStack Havana release. The fix has
|
|
also been backported to OpenStack Grizzly as a part of the 2013.1.4
|
|
Keystone release.
|
|
|
|
How the tokens are stored depends on your cloud deployment. If you
|
|
deploy using Memcached to back Keystone then flushing the cache when
|
|
disabling a token would resolve this issue for you, at the cost of other
|
|
token lookups which are no longer in the cache requiring Keystone
|
|
interaction.
|
|
|
|
It is of course possible to script something to remove tokens from any
|
|
backend DB or cache, but there is no 'official' way to do this.
|
|
|
|
NOTE: Flushing Memcached can result in losing token revocation
|
|
information as addressed in https://bugs.launchpad.net/ossn/+bug/1182920
|
|
|
|
### Contacts / References ###
|
|
Author: Robert Clark, HP
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0032
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1179955
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
|
CVE: CVE-2013-4222
|