[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens

William M Edmonds edmondsw at us.ibm.com
Wed Mar 12 12:15:27 UTC 2014 

It seems like we need some discussion here. I added the following comment 
with several questions in the defect:

caching tokens for 5 minutes by default may be all well and good for 
performance, but not so much for security. Consider the following cases:
1) If an admin detects that someone is using a token maliciously, they'll 
delete it and expect that to stop the usage immediately. But it won't.
2) If someone deletes the token they were using and then walks away, they 
should not have to worry about someone else stepping up and continuing to 
use that token.
Is token caching really something we should be doing at all? By default?
If so, should the default really be as high as 5 minutes? How did we 
settle on such a large value?
Should we implement a notification mechanism for token revokation which 
would cause listening clients to update their cache immediately? (Note: 
someone may find a way to block the notification, so this isn't 
perfect...)


W. Matthew Edmonds
IBM Systems & Technology Group
Email: edmondsw at us.ibm.com
Phone: (919) 543-7538 / Tie-Line: 441-7538



From:   Jeremy Stanley <fungi at yuggoth.org>
To:     openstack-security at lists.openstack.org, 
Date:   03/10/2014 11:23 AM
Subject:        [Openstack-security] [Bug 1287301] Re: Keystone client 
token cache doesn't respect revoked tokens



Tagging security. The OSSG may decide this is worth drafting a note
about, for broader visibility within the community.

** Tags added: security

** Information type changed from Public Security to Public

** Changed in: ossa
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301

Title:
  Keystone client token cache doesn't respect revoked tokens

Status in OpenStack Security Advisories:
  Invalid
Status in Python client library for Keystone:
  In Progress

Bug description:
  If we'll enable caching for keystoneclient tokens we'll be able to use
  tokens that are already revoked if they are present in cache:

  https://github.com/openstack/python-
  keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions

_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

More information about the Openstack-security mailing list