rucio icon indicating copy to clipboard operation
rucio copied to clipboard
verified publisher icon rucio

Security update for identity recreation

Open cfgamboa opened this issue 6 years ago • 4 comments

Motivation

After recreating an Identity using the following steps the RUCIO allows the token creation using

Creating the test identity fernando

rucio-admin identity add --account carlos --type USERPASS --id fernando --email [email protected] --password secret Added new identity to account: fernando-carlos

Listing identities for account carlos [root@2b8957951db8 rucio]# rucio-admin account list-identities carlos Identity: fernando, type: USERPASS

Deleting the Identity recently created:

[root@2b8957951db8 rucio]# rucio-admin identity delete --account carlos --type USERPASS --id fernando Deleted identity: fernando

Creating same Identity with a different password

rucio-admin identity add --account carlos --type USERPASS --id fernando --email [email protected] --password othersecret

I can still connect using the old password the one set when the identity was created. Token is created for the this password.

The token is not created for the identity that was deleted and then reused/recreated with a different password.

We are using RUCIO 1.20.2

Modification

cfgamboa avatar Sep 03 '19 15:09 cfgamboa

Thanks for the report. I'm having a look.

mlassnig avatar Sep 03 '19 15:09 mlassnig

For every identity or account operation we should forcefully delete all tokens associated with this account/identity

bari12 avatar May 23 '22 07:05 bari12

some testing tells me that even deleting an entire account will leave residue. for example, when an account bernd is created and then deleted (in exactly the way as described in test_del_user_success), it is not possible to create a new bernd because An object with the same identifier already exists! Details: Account ID 'bernd' already exists!

i will try and fix this in the scope of this issue

ThePhisch avatar Oct 13 '22 14:10 ThePhisch

That's on purpose, we are never deleting accounts, just disabling them.

mlassnig avatar Oct 13 '22 14:10 mlassnig

Apparently, rucio-admin identity delete does not delete an identity, it does not even alter the deleted-flag. The suggestion is to do the following:

  • set an obsolete flag on the delete command in the CLI, since the effect of delete will change in the next major release
  • shift the current effect of delete to a new command detach
  • if the last associated account has been detached, set the delete flag on the identity
  • make a new command update-password that changes the password for USERPASS-identities
  • delete should detach all accounts associated to the identity and set the delete flag
  • also delete tokens each time a command of the ones above is run

ThePhisch avatar Oct 19 '22 08:10 ThePhisch