[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens
Alexei Kornienko
akornienko at mirantis.com
Wed Mar 12 18:56:11 UTC 2014
d-w-chadwick I'm sorry but you are wrong in some of your assertions:
1. If you dont cache tokens you dont need revocation lists. You get a fresh token each time.
Cache is needed to speed up validation. For UUID tokens validation requires HTTP request to keystone and for PKI tokens it requires a subprocess call to openssl.
If you disable cache you are still able to use the same token until it's *expired*.
Rest of the assertions has to be updated to separate token exparation
and validation cache.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301
Title:
Keystone client token cache doesn't respect revoked tokens
Status in OpenStack Security Advisories:
Invalid
Status in Python client library for Keystone:
In Progress
Bug description:
If we'll enable caching for keystoneclient tokens we'll be able to use
tokens that are already revoked if they are present in cache:
https://github.com/openstack/python-
keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
steps to recreate:
1) get a token
2) use it to make a request via keystoneclient using default properties (thus it will be cached)
3) delete the token
4) use the token to make another request via keystoneclient
expected result: the token should not work (HTTP 401)
actual result: the token still works
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
More information about the Openstack-security
mailing list