[Openstack-security] [Bug 1287301] Re: Keystone client token cache doesn't respect revoked tokens
Dolph Mathews
1287301 at bugs.launchpad.net
Thu May 29 16:52:53 UTC 2014
** Changed in: python-keystoneclient
Milestone: None => 0.9.0
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301
Title:
Keystone client token cache doesn't respect revoked tokens
Status in OpenStack Security Advisories:
Invalid
Status in Python client library for Keystone:
Fix Committed
Bug description:
If we'll enable caching for keystoneclient tokens we'll be able to use
tokens that are already revoked if they are present in cache:
https://github.com/openstack/python-
keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
steps to recreate:
1) get a token
2) use it to make a request via keystoneclient using default properties (thus it will be cached)
3) delete the token
4) use the token to make another request via keystoneclient
expected result: the token should not work (HTTP 401)
actual result: the token still works
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
More information about the Openstack-security
mailing list