[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens
Openstack Gerrit
1287301 at bugs.launchpad.net
Thu Apr 24 07:53:11 UTC 2014
Reviewed: https://review.openstack.org/78241
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=8574256f9342faeba2ce64080ab5190023524e0a
Submitter: Jenkins
Branch: master
commit 8574256f9342faeba2ce64080ab5190023524e0a
Author: Alexei Kornienko <akornienko at mirantis.com>
Date: Wed Mar 5 16:50:37 2014 +0200
Ensure that cached token is not revoked
We need to ensure that tokens won't stay in cache after they have been
revoked.
Changed default revocation_cache_time 300 -> 10 seconds.
revocation_cache_time has to be << than token_cache_time to make token
cache efficient.
Fixes bug #1287301
Change-Id: I14c0eacac3b431c06e40385c891a6636736e5b4a
** Changed in: python-keystoneclient
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301
Title:
Keystone client token cache doesn't respect revoked tokens
Status in OpenStack Security Advisories:
Invalid
Status in Python client library for Keystone:
Fix Committed
Bug description:
If we'll enable caching for keystoneclient tokens we'll be able to use
tokens that are already revoked if they are present in cache:
https://github.com/openstack/python-
keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
steps to recreate:
1) get a token
2) use it to make a request via keystoneclient using default properties (thus it will be cached)
3) delete the token
4) use the token to make another request via keystoneclient
expected result: the token should not work (HTTP 401)
actual result: the token still works
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
More information about the Openstack-security
mailing list