Open Stack

Some pros and cons analysis on this topic. What are the related threats and
their impacts.




…shohel


On 12 Mar 2014, at 18:35, Matthew Edmonds <edmondsw at us.ibm.com> wrote:

> setting a higher value for token_cache_time and a lower value for
> revocation_cache_time (assuming we start using the revocation list here
> as proposed by https://review.openstack.org/#/c/78241/) would allow you
> to gain the performance improvement of not having to re-request tokens
> as often while satisfying the security requirement that revocation take
> effect in a timely manner. Yes, the revocation list is being requested
> more frequently, and may offset some of the performance gains from
> caching tokens. But the revocation list can be used to validate any
> token, so multiple tokens could be validated over the life of the cached
> revocation list, instead of each token validation requiring a call back
> to keystone should token_cache_time be similarly reduced.
> 
> -- 
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https://bugs.launchpad.net/bugs/1287301
> 
> Title:
>  Keystone client token cache doesn't respect revoked tokens
> 
> Status in OpenStack Security Advisories:
>  Invalid
> Status in Python client library for Keystone:
>  In Progress
> 
> Bug description:
>  If we'll enable caching for keystoneclient tokens we'll be able to use
>  tokens that are already revoked if they are present in cache:
> 
>  https://github.com/openstack/python-
>  keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
> 
>  steps to recreate:
>  1) get a token
>  2) use it to make a request via keystoneclient using default properties (thus it will be cached)
>  3) delete the token
>  4) use the token to make another request via keystoneclient
> 
>  expected result: the token should not work (HTTP 401)
>  actual result: the token still works
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security


** Attachment added: "Token_Access_scenario_CACHE Sheet1.pdf"
   https://bugs.launchpad.net/bugs/1287301/+attachment/4022028/+files/Token_Access_scenario_CACHE%20Sheet1.pdf

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301

Title:
  Keystone client token cache doesn't respect revoked tokens

Status in OpenStack Security Advisories:
  Invalid
Status in Python client library for Keystone:
  In Progress

Bug description:
  If we'll enable caching for keystoneclient tokens we'll be able to use
  tokens that are already revoked if they are present in cache:

  https://github.com/openstack/python-
  keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831

  steps to recreate:
  1) get a token
  2) use it to make a request via keystoneclient using default properties (thus it will be cached)
  3) delete the token
  4) use the token to make another request via keystoneclient

  expected result: the token should not work (HTTP 401)
  actual result: the token still works

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions