[Openstack-security] [Bug 1292283] Re: revocation events: deleting a token revokes all tokens with same expiration
Thierry Carrez
thierry.carrez+lp at gmail.com
Thu Oct 16 08:21:27 UTC 2014
** Changed in: keystone
Milestone: juno-rc1 => 2014.2
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1292283
Title:
revocation events: deleting a token revokes all tokens with same
expiration
Status in OpenStack Dashboard (Horizon):
Invalid
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
As part of the design process for revocation events it was determined
that a mechanism to revoke all dependent tokens was needed. This
covers the case of revoking a token and ensuring all tokens that were
created from that token are also revoked.
To accomplish this, the revocation of a specific token is done by
expiration_time. The expiration_time attribute is never changed on
subsequent tokens. This means it is easy to ensure revocation of an
entire chain of tokens.
This poses an issue if any specific token (or all tokens that are a
child of a specific token) should be revoked, but the parent tokens
should not be revoked.
Use case:
Get Unscoped token
Get Scoped Token from Unscoped token
Get New Scoped Token
Revoke first unscoped token
Now all tokens (including the Unscoped token) are revoked because they share an expiration_time.
Likely there needs to be a solution that allows for revoking based
upon expiration_time and issued_at and one that revokes on
expiration_time alone. Revoking by expiration_time alone is API
incompatible with previous API mechanisms (both V2 and V3).
This is the reason bug https://bugs.launchpad.net/horizon/+bug/1291099
was identified.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1292283/+subscriptions
More information about the Openstack-security
mailing list