[Openstack-security] [Bug 1484237] Re: token revocations not always respected when using fernet tokens

Dolph Mathews 1484237 at bugs.launchpad.net
Thu Sep 10 17:45:53 UTC 2015


[Thu 12:37] <morgan> lbragstad: ah. then can we just move towards everything being not subsecond?
[Thu 12:37] <morgan> audit_ids mean subsecond isn't needed
[Thu 12:37] <morgan> the whole reason for subsecond was to make PKI tokens "unique"
[Thu 12:37] <morgan> so they didn't hash to the same value

So, as an alternative solution to this bug, I think we can opt to ensure
that no one expects subsecond precision from revocation events.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1484237

Title:
  token revocations not always respected when using fernet tokens

Status in Keystone:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  A simple test that shows that fernet tokens are not always being
  invalidated.

  Simple test steps:

  1) gets a token
  2) deletes a token
  3) tries to validate the deleted token

  When I run this in production on 10 tokens, I get about a 20% success
  rate on the token being detected as invalid, 80% of the time, keystone
  tells me the token is valid.

  I have validated that the token is showing in the revocation event
  table.

  I've tried a 5 second delay between the calls which did not change the
  behavior.

  My current script (below) will look for 204 and 404 to show failure
  and will wait forever. I've let it wait over 5 minutes, it seems to me
  that either keystone knows immediately that the token is invalid or
  not at all.

  I do not have memcache enabled on these nodes.

  The same test has a 100% pass rate with UUID tokens.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484237/+subscriptions




More information about the Openstack-security mailing list