[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens
Matthew Edmonds
edmondsw at us.ibm.com
Wed Mar 12 16:01:08 UTC 2014
I don't believe this only affects PKI tokens, as stated in comment 2. I
hit this with UUID tokens.
** Description changed:
If we'll enable caching for keystoneclient tokens we'll be able to use
tokens that are already revoked if they are present in cache:
https://github.com/openstack/python-
keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
+
+ steps to recreate:
+ 1) get a token
+ 2) use it to make a request via keystoneclient using default properties (thus it will be cached)
+ 3) delete the token
+ 4) use the token to make another request via keystoneclient
+
+ expected result: the token should not work (HTTP 401)
+ actual result: the token still works
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301
Title:
Keystone client token cache doesn't respect revoked tokens
Status in OpenStack Security Advisories:
Invalid
Status in Python client library for Keystone:
In Progress
Bug description:
If we'll enable caching for keystoneclient tokens we'll be able to use
tokens that are already revoked if they are present in cache:
https://github.com/openstack/python-
keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
steps to recreate:
1) get a token
2) use it to make a request via keystoneclient using default properties (thus it will be cached)
3) delete the token
4) use the token to make another request via keystoneclient
expected result: the token should not work (HTTP 401)
actual result: the token still works
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
More information about the Openstack-security
mailing list