[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens
Clark, Robert Graham
robert.clark at hp.com
Wed Mar 12 14:43:48 UTC 2014
Very good points raised here.
I think this is going to come down to a decision to be made by the deployer - do I use token caching and for how long?
Secure deployments will not use caching, deployments with moderate requirements might want to use a shorter cache life and isolated or low risk clouds may even use longer life caches.
Personally I think there's good grounds here for not only an OSSN but also an entry in the OpenStack Security Guide, discussing the tradeoff and possible compensating controls/procedures.
-Rob
-----Original Message-----
From: William M Edmonds [mailto:edmondsw at us.ibm.com]
Sent: 12 March 2014 12:15
To: Bug 1287301
Cc: openstack-security at lists.openstack.org
Subject: Re: [Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens
It seems like we need some discussion here. I added the following comment with several questions in the defect:
caching tokens for 5 minutes by default may be all well and good for performance, but not so much for security. Consider the following cases:
1) If an admin detects that someone is using a token maliciously, they'll delete it and expect that to stop the usage immediately. But it won't.
2) If someone deletes the token they were using and then walks away, they should not have to worry about someone else stepping up and continuing to use that token.
Is token caching really something we should be doing at all? By default?
If so, should the default really be as high as 5 minutes? How did we settle on such a large value?
Should we implement a notification mechanism for token revokation which would cause listening clients to update their cache immediately? (Note:
someone may find a way to block the notification, so this isn't
perfect...)
W. Matthew Edmonds
IBM Systems & Technology Group
Email: edmondsw at us.ibm.com
Phone: (919) 543-7538 / Tie-Line: 441-7538
From: Jeremy Stanley <fungi at yuggoth.org>
To: openstack-security at lists.openstack.org,
Date: 03/10/2014 11:23 AM
Subject: [Openstack-security] [Bug 1287301] Re: Keystone client
token cache doesn't respect revoked tokens
Tagging security. The OSSG may decide this is worth drafting a note about, for broader visibility within the community.
** Tags added: security
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301
Title:
Keystone client token cache doesn't respect revoked tokens
Status in OpenStack Security Advisories:
Invalid
Status in Python client library for Keystone:
In Progress
Bug description:
If we'll enable caching for keystoneclient tokens we'll be able to use
tokens that are already revoked if they are present in cache:
https://github.com/openstack/python-
keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
More information about the Openstack-security
mailing list