Disabling a tenant would not disable a user token

Adding Keystone core devs to discuss.

There has been some bugs files already about disabling / deleting tenants and how that should propagate to tenant-related resources, so I'm not 100% sure that would constitute a vulnerability.

FYI: I have just figured out that my tokens were stored in mysql DB so clearing them (or using memcached tokens) would get the tokens properly invalided after update.

I still believe there is a bug that we need to delete the token belonging to the tenants when we update it in :

https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L108

like done for users :

https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L220

I think we can remove the security issue tag (but that's definitvely a bug) since this can be workarounded but I would like some feedback from keystone core devs first.

Fix proposed to branch: master
Review: https://review.openstack.org/31564

satya-patibandla: didn't mean to hijack this if you have a solution. I just wanted to put tests up to demonstrate

If the token is tenant scoped .. would make sense to disable token?

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dolph Mathews
Sent: Tuesday, June 04, 2013 2:21 PM
To: Bhandaru, Malini K
Subject: [Bug 1179955] Re: Disabling a tenant would not disable a user token

satya-patibandla: didn't mean to hijack this if you have a solution. I just wanted to put tests up to demonstrate

--
You received this bug notification because you are subscribed to Keystone.
Matching subscriptions: keystone
https://bugs.launchpad.net/bugs/1179955

Title:
  Disabling a tenant would not disable a user token

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  Using keystone/python-keystoneclient master as of today when disabling
  a tenant would not disable the users attached to the and would still
  have access.

  I would not mind to fix it but I want to make sure first if this is
  something done by design or I am missing something.

  Here is a transcript of my tests :

  # Here is the list of my tenants all enabled and nice (devstack default)
  chmouel@vm:~$ keystone tenant-list
  +----------------------------------+--------------------+---------+
  | id | name | enabled |
  +----------------------------------+--------------------+---------+
  | 1f1aeeace0db41e3966a4873877c4dde | admin | True |
  | b39f8b007abe472b93ebb5c7fdd80c98 | demo | True |
  | 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin | True |
  | 13fe49ee5e0144d0acd0c89fb901a248 | service | True |
  +----------------------------------+--------------------+---------+

  # Let's store the DEMO_TENANT_ID for later
  chmouel@vm:~$ DEMO_TENANT=b39f8b007abe472b93ebb5c7fdd80c98

  # getting a token with this script available here http://p.chmouel.com/ks which
  chmouel@vm:~$ ks localhost demo:demo ADMIN
  [...]

  # Using the token I can access to my swift account properly all good here.
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: tx390b2fb557fb4cb48a082-0051923f3b
  Date: Tue, 14 May 2013 13:42:19 GMT

  # Now let's try to disable that tenant
  chmouel@vm:~$ keystone tenant-update --enabled false ${DEMO_TENANT}

  # tenant is disabled all good
  chmouel@vm:~$ keystone tenant-list
  +----------------------------------+--------------------+---------+
  | id | name | enabled |
  +----------------------------------+--------------------+---------+
  | 1f1aeeace0db41e3966a4873877c4dde | admin | True |
  | b39f8b007abe472b93ebb5c7fdd80c98 | demo | False |
  | 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin | True |
  | 13fe49ee5e0144d0acd0c89fb9...

Malini: yes, that's what these new tests are asserting: https://review.openstack.org/#/c/31564/2/tests/test_v3_auth.py

Triple-checking the need for a public OSSA on this

Is there a way for the admin to disable all tokens already issued for a tenant he wants to disable ? Then I'd tend to consider this a poor feature with potential security consequences (requiring information) rather than a vulnerability.

There's no convenient way to revoke the correct subset of tokens through the API or through the backend itself (even the SQL driver doesn't index by tenant/project). Depending on the actual driver in use, I'd suggest a brute force solution to wipe *all* tokens:

SQL: delete from token;
memcache: Restart memcache
KVS: Restart keystone

It's always wise to tread lightly where authentication behavior and the principle of least surprise are concerned. I don't think this warrants an OSSA, but might benefit from an OSSG security note with recommendations for how deployers can work around this shortcoming in production (whether that's clearing all active tokens or something more targeted).

Adding an OSSN task to see if this would be better served by one.

@Rob: would that fall under OSSN ?

Yeah, we can cut an OSSN for this. I'm not a keystone expert though so I'd like some better guidance here before we write the note, who should I reach out to for more info?

Does this get fixed when PKI-Tokens are used more (They seem to either support ephemeral i.e short-life tokens and/or revocation)

review in https://review.openstack.org/#/c/39878/

[DRAFT]
Disabling a tenant does not disable a user token
----

### Summary ###
When a tenant is disabled in Keystone, tokens that have been issued to that tenant are not invalidated. This can result in users having access to your cloud after you have attempted to revoke them.

### Affected Services / Software ###
Keystone

### Discussion ###
It appears that Keystone does not purge the tokens given out to tenants when a tenant is disabled. In some scenarios this could be very important to cloud providers. Take the case where a cloud provider must a tenant's access because of some legal investigation. Even though the tenant is disabled it would be possible for them to terminate VMs / delete Swift files etc. - There are many other abuse-cases...

### Recommended Actions ###
How the tokens are stored depends on your cloud deployment. If you deploy using Memcache to back Keystone then flushing the cash when disabling a token would resolve this issue for you, at the cost of other token lookups which are no longer in the cash requiring Keystone interaction.

It is of course possible to script something to remove tokens from any backend DB or cache but there is no 'official' way to do this.

### Contacts / References ###
Proposed Fix : https://review.openstack.org/#/c/39878/
This OSSN : https://bugs.launchpad.net/ossn/+bug/1179955
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

[DRAFT]
Disabling a tenant does not disable a user token
----

### Summary ###
When a tenant is disabled in Keystone, tokens that have been issued to that tenant are not invalidated. This can result in users having access to your cloud after you have attempted to revoke them.

### Affected Services / Software ###
Keystone

### Discussion ###
It appears that Keystone does not purge the tokens given out to tenants when a tenant is disabled. In some scenarios this could be very important to cloud providers. Take the case where a cloud provider must a tenant's access because of some legal investigation. Even though the tenant is disabled it would be possible for them to terminate VMs / delete Swift files etc. - There are many other abuse-cases...

### Recommended Actions ###
How the tokens are stored depends on your cloud deployment. If you deploy using Memcache to back Keystone then flushing the cash when disabling a token would resolve this issue for you, at the cost of other token lookups which are no longer in the cash requiring Keystone interaction.

It is of course possible to script something to remove tokens from any backend DB or cache but there is no 'official' way to do this.

NOTE: Flushing memcache can result in loosing token revocation information as addressed in https://bugs.launchpad.net/ossn/+bug/1182920

### Contacts / References ###
Proposed Fix : https://review.openstack.org/#/c/39878/
This OSSN : https://bugs.launchpad.net/ossn/+bug/1179955
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

[DRAFT]
Disabling a tenant does not disable a user token
----

### Summary ###
When a tenant is disabled in Keystone, tokens that have been issued to that tenant are not invalidated. This can result in users having access to your cloud after you have attempted to revoke them.

### Affected Services / Software ###
Keystone

### Discussion ###
It appears that Keystone does not purge the tokens given out to tenants when a tenant is disabled. In some scenarios this could be very important to cloud providers. Take the case where a cloud provider must a tenant's access because of some legal investigation. Even though the tenant is disabled it would be possible for them to terminate VMs / delete Swift files etc. - There are many other abuse-cases...

### Recommended Actions ###
How the tokens are stored depends on your cloud deployment. If you deploy using Memcache to back Keystone then flushing the cash when disabling a token would resolve this issue for you, at the cost of other token lookups which are no longer in the cash requiring Keystone interaction.

It is of course possible to script something to remove tokens from any backend DB or cache but there is no 'official' way to do this.

NOTE: Flushing memcache can result in loosing token revocation information as addressed in https://bugs.launchpad.net/ossn/+bug/1182920

### Contacts / References ###
Proposed Fix : https://review.openstack.org/#/c/39878/
This OSSN : https://bugs.launchpad.net/ossn/+bug/1179955
CVE : CVE-2013-4222
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

I suggest removing "It appears that " from the start of the discussion.

Also "Take the case where a cloud provider must a tenant's" should be "Take the case where a cloud provider must revoke a tenant's".

Also " - There are many other abuse-cases..." should be "There are many other abuse-cases."

Reviewed: https://review.openstack.org/39878
Committed: http://github.com/openstack/keystone/commit/74f788aa9da0dabf54bd1f4718f9c0e0b9726757
Submitter: Jenkins
Branch: master

commit 74f788aa9da0dabf54bd1f4718f9c0e0b9726757
Author: Chmouel Boudjnah <email address hidden>
Date: Fri Aug 2 10:12:03 2013 +0200

    Revoke user tokens when disabling/delete a project

    - Revoke tokens scoped to all users from a project when disabling or
      deleting the project.
    - Tests provided by Dolph.

    Closes-Bug: #1179955
    Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9
    Signed-off-by: Chmouel Boudjnah <email address hidden>

Disabling a tenant does not disable a user token
----

### Summary ###
When a tenant is disabled in Keystone, tokens that have been issued to that tenant are not invalidated. This can result in users having access to your cloud after you have attempted to revoke them.

### Affected Services / Software ###
Keystone

### Discussion ###
Keystone does not purge the tokens given out to tenants when a tenant is disabled. In some scenarios this could be very important to cloud providers. Take the case where a cloud provider must a revoke tenant's access because of some legal investigation. Even though the tenant is disabled it would be possible for them to terminate VMs / delete Swift files etc. There are many other abuse-cases.

### Recommended Actions ###
How the tokens are stored depends on your cloud deployment. If you deploy using Memcache to back Keystone then flushing the cash when disabling a token would resolve this issue for you, at the cost of other token lookups which are no longer in the cash requiring Keystone interaction.

It is of course possible to script something to remove tokens from any backend DB or cache but there is no 'official' way to do this.

NOTE: Flushing memcache can result in loosing token revocation information as addressed in https://bugs.launchpad.net/ossn/+bug/1182920

### Contacts / References ###
Proposed Fix : https://review.openstack.org/#/c/39878/
This OSSN : https://bugs.launchpad.net/ossn/+bug/1179955
CVE : CVE-2013-4222
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

Published to OpenStack ML 30/08/2013

Will likely be addressing during icehouse using a new approach to revocation-
https://blueprints.launchpad.net/keystone/+spec/revocation-events

Rob -- did you issue this OSSN already? If not ..

May need to clarify Memcache without DB backend ( in "If you deploy using Memcache .." ), where flushing cache would resolve the issue. If there is a DB behind it, your next paragraph with DB script necessary to clean up.

And given Chmouel's fix has been committed .. please add

 "Patch https://review.openstack.org/39878 addresses the issue and will be part of the next official release of OpenStack/Keystone. "

Regards
Malini

> Will likely be addressing during icehouse using a new approach to revocation

I should revise my own comment #22 as it's not very clear. What I meant to say was:

> While this has been addressed for havana, we will *likely* be taking a new approach to revocation during icehouse

Was this a bug only in havana? or in grizzly/folsom as well?

ttx seems to think this applies to folsom/grizzly, can I get a patch for each please :D

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/46371

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/46381

Reviewed: https://review.openstack.org/46371
Committed: http://github.com/openstack/keystone/commit/c70f8c61d50c2358d712b365bec4a8f288314b54
Submitter: Jenkins
Branch: stable/grizzly

commit c70f8c61d50c2358d712b365bec4a8f288314b54
Author: Dolph Mathews <email address hidden>
Date: Thu Sep 12 17:02:26 2013 -0500

    Revoke user tokens when disabling/delete a project

    - Revoke tokens scoped to all users from a project when disabling or
      deleting the project.
    - Fix provided by chmouel

    Closes-Bug: #1179955
    Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9

Reviewed: https://review.openstack.org/46381
Committed: http://github.com/openstack/keystone/commit/7244e5342acb86c241e2d03fc76897174302de04
Submitter: Jenkins
Branch: stable/folsom

commit 7244e5342acb86c241e2d03fc76897174302de04
Author: Dolph Mathews <email address hidden>
Date: Thu Sep 12 17:02:26 2013 -0500

    Revoke user tokens when disabling/delete a tenant

    Revoke tokens scoped to all users from a tenant when disabling or
    deleting the tenant.

    Closes-Bug: #1179955
    Change-Id: I8ab4713d513b26ced6c37ed026cec9e2df78a5e9