On Jun 26, 2016 19:39, "林自均" <[email protected]> wrote: > > Hi all, > > I have the following scenario: > > 1. On client machine A, a user obtains an auth token with a username and password. > 2. The user can use the auth token to do operations on client machine A. > 3. A thief steals the auth token, and do operations on client machine B. > > Can Keystone check the auth token's source IP (which is client machine A in the above example) to prevent thieves to use it? Does this feature exist? Or is it a work in progress? Thanks for the help! > > John > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >
Unfortunately, validating tokens in this way will induce a number of failures. The user's token is passed through from one service to another for subsequent actions (e.g. nova talking to glance to get the proper image). We are working on changing how AuthZ is handled when it is service to service (nova to glance or cinder) vs when it is user to service. While we have had the concept of token binding (requiring an x509 client cert for example) the above mentioned limitation has made the feature a non-starter. Generally speaking bearer tokens are known to have this issue and keystone tokens are bearer tokens. The best mitigation is to use TLS for communication to the endpoints (user -> service) and limit the life span of the tokens to the shortest window possible (making replay attacks significantly more difficult as the tokens expire quickly). Eventually we can work on solving this, but there is a bunch of work needed before it can be worked on/explored. --Morgan
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
