[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens

Abu Shohel Ahmed ahmed.shohel at ericsson.com
Wed Mar 12 13:33:35 UTC 2014 

I agree, we have also identified the issue during Keystone Threat Modelling.  A system should be by default secure.  
However, the performance impact is always a question in this scenario.  We can also have discussion around
OpenStack’s philosophy 'everything will become eventually consistent’  - does it apply for security.  
For the time being, i am willing to volunteer for writing a OSSN on this, if we agree that this a topic to address.

…shohel


On 12 Mar 2014, at 14:11, Matthew Edmonds <edmondsw at us.ibm.com> wrote:

> caching tokens for 5 minutes by default may be all well and good for performance, but not so much for security. Consider the following cases:
> 1) If an admin detects that someone is using a token maliciously, they'll delete it and expect that to stop the usage immediately. But it won't.
> 2) If someone deletes the token they were using and then walks away, they should not have to worry about someone else stepping up and continuing to use that token.
> 
> Is token caching really something we should be doing at all? By default?
> 
> If so, should the default really be as high as 5 minutes? How did we
> settle on such a large value?
> 
> Should we implement a notification mechanism for token revokation which
> would cause listening clients to update their cache immediately? (Note:
> someone may find a way to block the notification, so this isn't
> perfect...)
> 
> -- 
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https://bugs.launchpad.net/bugs/1287301
> 
> Title:
>  Keystone client token cache doesn't respect revoked tokens
> 
> Status in OpenStack Security Advisories:
>  Invalid
> Status in Python client library for Keystone:
>  In Progress
> 
> Bug description:
>  If we'll enable caching for keystoneclient tokens we'll be able to use
>  tokens that are already revoked if they are present in cache:
> 
>  https://github.com/openstack/python-
>  keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4163 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140312/71a2a066/attachment.bin>

More information about the Openstack-security mailing list