[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens
David Chadwick
1287301 at bugs.launchpad.net
Wed Mar 12 13:49:06 UTC 2014
Implementing security controls is always a balance between cost,
usability, effectiveness etc. So there are no right answers. It all
depends upon the risk aversion (or willingness) of the organisation.
Therefore having configuration values for token cache time and
revocation cache time seems to be the best way to deal with this
(including allowing a zero cache time). The risk averse organisation can
set low or zero values and take the cost and performance consequences
of this, whereas the risk willing organisation can set much higher
values and have lower costs, higher performance and a greater risk of
revoked tokens being wrongly used. I dont really see what Matthew's
problem is providing this is clearly documented (as Dolph agrees it
should be)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301
Title:
Keystone client token cache doesn't respect revoked tokens
Status in OpenStack Security Advisories:
Invalid
Status in Python client library for Keystone:
In Progress
Bug description:
If we'll enable caching for keystoneclient tokens we'll be able to use
tokens that are already revoked if they are present in cache:
https://github.com/openstack/python-
keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
More information about the Openstack-security
mailing list