[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens

Abu Shohel Ahmed 1287301 at bugs.launchpad.net
Thu Mar 13 16:00:14 UTC 2014 

The earlier link somehow did not showed in the email. Some analysis i have done 
on this topic: Threats Vs Performanace


https://drive.google.com/file/d/0B1aEVfmQtqnoM0luMFpMMXh4RkE/edit?usp=sharing

…shohel

On 13 Mar 2014, at 14:29, Abu Shohel Ahmed <1287301 at bugs.launchpad.net>
wrote:

> Some pros and cons analysis on this topic. What are the related threats and
> their impacts.
> 
> 
> 
> 
> …shohel
> 
> 
> On 12 Mar 2014, at 18:35, Matthew Edmonds <edmondsw at us.ibm.com> wrote:
> 
>> setting a higher value for token_cache_time and a lower value for
>> revocation_cache_time (assuming we start using the revocation list here
>> as proposed by https://review.openstack.org/#/c/78241/) would allow you
>> to gain the performance improvement of not having to re-request tokens
>> as often while satisfying the security requirement that revocation take
>> effect in a timely manner. Yes, the revocation list is being requested
>> more frequently, and may offset some of the performance gains from
>> caching tokens. But the revocation list can be used to validate any
>> token, so multiple tokens could be validated over the life of the cached
>> revocation list, instead of each token validation requiring a call back
>> to keystone should token_cache_time be similarly reduced.
>> 
>> -- 
>> You received this bug notification because you are a member of OpenStack
>> Security Group, which is subscribed to OpenStack.
>> https://bugs.launchpad.net/bugs/1287301
>> 
>> Title:
>> Keystone client token cache doesn't respect revoked tokens
>> 
>> Status in OpenStack Security Advisories:
>> Invalid
>> Status in Python client library for Keystone:
>> In Progress
>> 
>> Bug description:
>> If we'll enable caching for keystoneclient tokens we'll be able to use
>> tokens that are already revoked if they are present in cache:
>> 
>> https://github.com/openstack/python-
>> keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
>> 
>> steps to recreate:
>> 1) get a token
>> 2) use it to make a request via keystoneclient using default properties (thus it will be cached)
>> 3) delete the token
>> 4) use the token to make another request via keystoneclient
>> 
>> expected result: the token should not work (HTTP 401)
>> actual result: the token still works
>> 
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
>> 
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
> 
> ** Attachment added: "Token_Access_scenario_CACHE Sheet1.pdf"
>   https://bugs.launchpad.net/bugs/1287301/+attachment/4022028/+files/Token_Access_scenario_CACHE%20Sheet1.pdf
> 
> -- 
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https://bugs.launchpad.net/bugs/1287301
> 
> Title:
>  Keystone client token cache doesn't respect revoked tokens
> 
> Status in OpenStack Security Advisories:
>  Invalid
> Status in Python client library for Keystone:
>  In Progress
> 
> Bug description:
>  If we'll enable caching for keystoneclient tokens we'll be able to use
>  tokens that are already revoked if they are present in cache:
> 
>  https://github.com/openstack/python-
>  keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
> 
>  steps to recreate:
>  1) get a token
>  2) use it to make a request via keystoneclient using default properties (thus it will be cached)
>  3) delete the token
>  4) use the token to make another request via keystoneclient
> 
>  expected result: the token should not work (HTTP 401)
>  actual result: the token still works
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301

Title:
  Keystone client token cache doesn't respect revoked tokens

Status in OpenStack Security Advisories:
  Invalid
Status in Python client library for Keystone:
  In Progress

Bug description:
  If we'll enable caching for keystoneclient tokens we'll be able to use
  tokens that are already revoked if they are present in cache:

  https://github.com/openstack/python-
  keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831

  steps to recreate:
  1) get a token
  2) use it to make a request via keystoneclient using default properties (thus it will be cached)
  3) delete the token
  4) use the token to make another request via keystoneclient

  expected result: the token should not work (HTTP 401)
  actual result: the token still works

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions

More information about the Openstack-security mailing list