if an ordinary user sent a get-token request to KeyStone, internalURL and 
adminURL of endpoints will also be returned. It'll expose the internal high 
privilege access address and some internal network topology information to the 
ordinary user, and leads to the risk for malicious user to attack or hijack the 

the request to get token for ordinary user:
curl -d '{"auth":{"passwordCredentials":{"username": "huawei", "password": 
"2014"},"tenantName":"huawei"}}' -H "Content-type: application/json" 

the response will include internalURL and adminURL of endpoints:
{"access": {"token": {"issued_at": "2014-11-27T02:30:59.218772", "expires": 
"2014-11-27T03:30:59Z", "id": "b8684d2b68ab49d5988da9197f38a878", "tenant": 
{"description": "normal Tenant", "enabled": true, "id": 
"7ed3351cd58349659f0bfae002f76a77", "name": "huawei"}, "audit_ids": 
["Ejn3BtaBTWSNtlj7beE9bQ"]}, "serviceCatalog": [{"endpoints": [{"adminURL": 
"";, "region": 
"regionOne", "internalURL": 
"";, "id": 
"170a3ae617a1462c81bffcbc658b7746", "publicURL": 
"endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": 
[{"adminURL": "";, "region": "regionOne", "internalURL": 
"";, "id": "7c0f28aa4710438bbd84fd25dbe4daa6", 
"publicURL": ""}], "endpoints_links": [], "type": 
"network", "name": "neutron"}, {"endpoints": [{"adminURL": "ht
 tp://", "region": "regionOne", "internalURL": 
"";, "id": "576f41fc8ef14b4f90e516bb45897491", 
"publicURL": ""}], "endpoints_links": [], "type": 
"image", "name": "glance"}, {"endpoints": [{"adminURL": 
"";, "region": "regionOne", "internalURL": 
"";, "id": "77d464e146f242aca3c50e10b6cfdaa0", 
"publicURL": ""}], "endpoints_links": [], "type": 
"metering", "name": "ceilometer"}, {"endpoints": [{"adminURL": 
"";, "region": "regionOne", "internalURL": 
"";, "id": "1b8177826e0c426fa73e5519c8386589", 
"publicURL": ""}], "endpoints_links": [], "type": 
"baremetal", "name": "ironic"}, {"endpoints": [{"adminURL": 
"";, "region": "regionOne", "internalURL": 
"";, "id": "435ae249fd2a427089cb4bf2e6c0b8e9", 
"publicURL": "";
 }], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": 
{"username": "huawei", "roles_links": [], "id": 
"a88a40a635334e5da2ac3523d9780ed3", "roles": [{"name": "_member_"}], "name": 
"huawei"}, "metadata": {"is_admin": 0, "roles": 

At least, the internalURL and adminURL of endpoints should not be returned to 
ordinary users, only if the admin configured the policy to allow ordinary user 
has the right to see it.

Best Regards
Chaoyi Huang ( Joe Huang )

OpenStack-dev mailing list

Reply via email to