Confirmed for updates milestones, priority downgraded from Critical to Medium (see below for explanation)
This is not security vulnerability. Keystone endpoint is public in our default configuration, and as any service it has limited capacity and could be overloaded with number of requests that exceeds that capacity. If DoS attack is happening one could take appropriate measures - ban IPs the requests are coming from, filter specific types of packets, etc. There is nothing Keystone specific or OpenStack specific here.
Now this looks as feature request to put some limits on number of incoming requests. That should be discussed with product mgmt, scale and architecture groups. Then we could look into what could be done for older releases and existing deployments.
Confirmed for updates milestones, priority downgraded from Critical to Medium (see below for explanation)
This is not security vulnerability. Keystone endpoint is public in our default configuration, and as any service it has limited capacity and could be overloaded with number of requests that exceeds that capacity. If DoS attack is happening one could take appropriate measures - ban IPs the requests are coming from, filter specific types of packets, etc. There is nothing Keystone specific or OpenStack specific here.
Now this looks as feature request to put some limits on number of incoming requests. That should be discussed with product mgmt, scale and architecture groups. Then we could look into what could be done for older releases and existing deployments.