*** This bug is a security vulnerability *** Public security bug reported:
The Keystone configuration sets the ADMIN_TOKEN option to "ADMIN" by default, which means that unless the deployment specifically changes this value to a secure value, the filter "admin_auth_token" will accept the value of "ADMIN" as an all-access administrative token for the openstack deployment (when interacting with keystone). https://github.com/openstack/keystone/blob/406fbfaa2689255fb54cf1eb07403f392c735c53/keystone/common/config.py#L49-L56 The fix will be to make this value "None" by default, and if the option is unset, the "admin_token_auth" filter will simply pass, continuing to allow normal credentials to work. This is a CLASS B1 (my assessment) https://security.openstack.org/vmt- process.html#incident-report-taxonomy This bug was opened so we can issue an OSSA/OSSN with the fix. ** Affects: keystone Importance: Medium Assignee: Adam Young (ayoung) Status: Triaged -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1545789 Title: keystone ADMIN_TOKEN set by default can lead to default insecure deployment Status in OpenStack Identity (keystone): Triaged Bug description: The Keystone configuration sets the ADMIN_TOKEN option to "ADMIN" by default, which means that unless the deployment specifically changes this value to a secure value, the filter "admin_auth_token" will accept the value of "ADMIN" as an all-access administrative token for the openstack deployment (when interacting with keystone). https://github.com/openstack/keystone/blob/406fbfaa2689255fb54cf1eb07403f392c735c53/keystone/common/config.py#L49-L56 The fix will be to make this value "None" by default, and if the option is unset, the "admin_token_auth" filter will simply pass, continuing to allow normal credentials to work. This is a CLASS B1 (my assessment) https://security.openstack.org/vmt- process.html#incident-report-taxonomy This bug was opened so we can issue an OSSA/OSSN with the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1545789/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
