[Openstack-security] [Bug 1484237] Re: token revocations not always respected when using fernet tokens
Morgan Fainberg
morgan.fainberg at gmail.com
Tue Jan 17 19:52:46 UTC 2017
Kilo is EOL
** Changed in: keystone/kilo
Status: In Progress => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1484237
Title:
token revocations not always respected when using fernet tokens
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) kilo series:
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
A simple test that shows that fernet tokens are not always being
invalidated.
Simple test steps:
1) gets a token
2) deletes a token
3) tries to validate the deleted token
When I run this in production on 10 tokens, I get about a 20% success
rate on the token being detected as invalid, 80% of the time, keystone
tells me the token is valid.
I have validated that the token is showing in the revocation event
table.
I've tried a 5 second delay between the calls which did not change the
behavior.
My current script (below) will look for 204 and 404 to show failure
and will wait forever. I've let it wait over 5 minutes, it seems to me
that either keystone knows immediately that the token is invalid or
not at all.
I do not have memcache enabled on these nodes.
The same test has a 100% pass rate with UUID tokens.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484237/+subscriptions
More information about the Openstack-security
mailing list