[Openstack-security] [Bug 1484237] Re: token revocations not always respected when using fernet tokens
Thierry Carrez
thierry.carrez+lp at gmail.com
Thu Oct 15 09:59:19 UTC 2015
** Changed in: keystone
Milestone: liberty-rc1 => 8.0.0
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1484237
Title:
token revocations not always respected when using fernet tokens
Status in Keystone:
Fix Released
Status in Keystone kilo series:
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
A simple test that shows that fernet tokens are not always being
invalidated.
Simple test steps:
1) gets a token
2) deletes a token
3) tries to validate the deleted token
When I run this in production on 10 tokens, I get about a 20% success
rate on the token being detected as invalid, 80% of the time, keystone
tells me the token is valid.
I have validated that the token is showing in the revocation event
table.
I've tried a 5 second delay between the calls which did not change the
behavior.
My current script (below) will look for 204 and 404 to show failure
and will wait forever. I've let it wait over 5 minutes, it seems to me
that either keystone knows immediately that the token is invalid or
not at all.
I do not have memcache enabled on these nodes.
The same test has a 100% pass rate with UUID tokens.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484237/+subscriptions
More information about the Openstack-security
mailing list