[Openstack-security] [Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens
Dolph Mathews
1434034 at bugs.launchpad.net
Tue Sep 1 18:24:36 UTC 2015
Based on today's keystone meeting and the above comments, I've reduced
the priority of this to Medium across the board and marked this as Won't
Fix in Keystone.
Although this is working as intended, we acknowledge that that intended
behavior is poorly documented, and it seems an OSSN is the best route to
rectify that.
I'd be happy to work with whoever wants to write the OSSN - ping me in
IRC (dolphm) or leave a comment here.
** Changed in: keystone
Importance: Critical => Medium
** Changed in: keystone
Status: In Progress => Won't Fix
** Changed in: keystone/juno
Importance: Critical => Medium
** Changed in: keystone/juno
Status: In Progress => Won't Fix
** Changed in: ossn
Importance: Undecided => Medium
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1434034
Title:
Disabling users & groups may not invalidate previously-issued tokens
Status in Keystone:
Won't Fix
Status in Keystone juno series:
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Confirmed
Bug description:
Even if the user is disabled, can use the last token is validated.
0. user foo is enable
1. get token (a)
2. user foo is disabled
3. foo can still use any APIs by token(a)
that's all.
This issue is not cache process.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions
More information about the Openstack-security
mailing list