[Bug 881464] Re: [MIR] keystone

Jamie Strandboge jamie at ubuntu.com
Thu Mar 8 22:39:36 UTC 2012

I have performed another shallow security audit of keystone. The code audit was
not deep because "Keystone is very young and developing very fast." (even more
so now because of the rewrite. --
With that said, here is my review:

Package review:
- Does not run as root
- Has test suite in the build, but 139 out of 266 test cases fail. debian/rules
        bash run_tests.sh -N || true
- Listens on all interfaces by default, on ports 5000/tcp and 35357/tcp (admin
- no sudo fragments
- no DBus services
- no setuid/setgid binaries
- By default, does not use ssl. Since access to keystone is necessarily over
the network and considering that Keystone/Nova/Glance/Quantum bits are likely
on a trusted network (though they should use SSL as well), the most important
bit seems to be the User to Keystone interaction, as that is where the password
is passed and the token used by the other services is received. If the password
or token is snooped then an attacker can do everything as that authenticated
- The previous version of keystone had some sort of SSL capabilities, but this
  version doesn't support it in any documentation.

Code review:
- no privileged operations
- process spawning seems sane
- file handling seems sane
- environment handling seems sane
- uses sqlalchemy, which is good

Requirements for main inclusion:
- add to manpage the fact that this must be on a trusted network segment or
  provide proper SSL configuration.
- fix test suite and make it fail the build

** Changed in: keystone (Ubuntu)
       Status: New => In Progress

** Changed in: keystone (Ubuntu)
     Assignee: Jamie Strandboge (jdstrand) => (unassigned)

You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.

  [MIR] keystone

To manage notifications about this bug go to:

More information about the Ubuntu-server-bugs mailing list