[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens
Robert Clark
1287301 at bugs.launchpad.net
Wed Mar 12 14:47:58 UTC 2014
Very good points raised here.
I think this is going to come down to a decision to be made by the
deployer - do I use token caching and for how long?
Secure deployments will likely not use caching, deployments with
moderate requirements might want to use a shorter cache life and
isolated or low risk clouds may even use longer life caches.
Personally I think there's good grounds here for not only an OSSN but
also an entry in the OpenStack Security Guide, discussing the tradeoff
and possible compensating controls/procedures.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301
Title:
Keystone client token cache doesn't respect revoked tokens
Status in OpenStack Security Advisories:
Invalid
Status in Python client library for Keystone:
In Progress
Bug description:
If we'll enable caching for keystoneclient tokens we'll be able to use
tokens that are already revoked if they are present in cache:
https://github.com/openstack/python-
keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
More information about the Openstack-security
mailing list