74 lines
2.9 KiB
Plaintext
74 lines
2.9 KiB
Plaintext
Keystone admin_token_auth use by default causes insecure operation
|
|
---
|
|
|
|
### Summary ###
|
|
A Keystone setting intended for use only during initial installation is
|
|
often left configured in its default value by OpenStack deployers.
|
|
|
|
An attacker could gain administrative access to the Keystone API by
|
|
providing the string "ADMIN" as a token.
|
|
|
|
### Affected Services / Software ###
|
|
Keystone, Folsom, Grizzly, Havana, Icehouse, Juno, Kilo, Liberty, Mitaka
|
|
|
|
### Discussion ###
|
|
The Keystone service supports an authentication middleware called
|
|
"admin_token_auth". This provides a simple token for accessing the
|
|
Keystone API and is intended to be used only for the initial setup of
|
|
Keystone, allowing the deployer access to the Keystone API which can be
|
|
used to setup appropriate Keystone administrator accounts.
|
|
|
|
The "admin_token_auth" method is configured through the
|
|
keystone-paste.ini file. The token for the "ADMIN_TOKEN" that this
|
|
method validates against is set in the keystone.conf file.
|
|
|
|
Some deployments copy these files from the example versions and use them
|
|
unchanged. This means that some production OpenStack clouds may have
|
|
"admin_token_auth" enabled and "ADMIN_TOKEN" set to the default value
|
|
of "ADMIN".
|
|
|
|
It is likely that OpenStack deployments using the default Keystone
|
|
configuration files are vulnerable to exploitation by an attacker who accesses
|
|
the API using a token of "ADMIN".
|
|
|
|
### Recommended Actions ###
|
|
Use of "ADMIN_TOKEN" for bootstrapping Keystone deployments is
|
|
deprecated and will be removed in a future release. Deployers are
|
|
encouraged to bootstrap Keystone using the 'bootstrap' feature of the
|
|
keystone-manage CLI tool:
|
|
|
|
$ keystone-manage bootstrap --bootstrap-password s3cr3t
|
|
|
|
Existing deployments should remove the "admin_token_auth" middleware
|
|
from the API pipelines in keystone-paste.ini.
|
|
|
|
---- begin bad keystone-paste.ini snippet ----
|
|
[pipeline:public_api]
|
|
pipeline = [...] token_auth admin_token_auth json_body [...]
|
|
|
|
[pipeline:admin_api]
|
|
pipeline = [...] token_auth admin_token_auth json_body [...]
|
|
|
|
[pipeline:api_v3]
|
|
pipeline = [...] token_auth admin_token_auth json_body [...]
|
|
---- end bad keystone-paste.ini snippet ----
|
|
|
|
---- begin good keystone-paste.ini snippet ----
|
|
[pipeline:public_api]
|
|
pipeline = [...] token_auth json_body [...]
|
|
|
|
[pipeline:admin_api]
|
|
pipeline = [...] token_auth json_body [...]
|
|
|
|
[pipeline:api_v3]
|
|
pipeline = [...] token_auth json_body [...]
|
|
---- end good keystone-paste.ini snippet ----
|
|
|
|
### Contacts / References ###
|
|
Author: Robert Clark, IBM
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0064
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1545789
|
|
Mailing list [Security] tag on : openstack-dev@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
|
Keystone Change : https://review.openstack.org/#/c/282104/1/releasenotes/notes/admin_token-c634ec12fc714255.yaml
|