<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">This looks pretty much like the write
up I put in the bug report.<br>
<br>
<br>
On 08/07/2013 09:22 AM, Clark, Robert Graham wrote:<br>
</div>
<blockquote
cite="mid:A0C170085C37664D93EE1604364858A10EC949D5@G4W3202.americas.hpqcorp.net"
type="cite">
<pre wrap="">[Draft] Please review and add content as you feel appropriate
Restarting memcached loses revoked token list
----
### Summary ###
When a cloud is deployed using Memcache as a backend for Keystone tokens
there is a security concern that restarting Memcached will loose the
list of revoked tokens, potentially allowing bad tokens / users to
access the system after they had been revoked.
### Affected Services / Software ###
Keystone, Memcache
### Discussion ###
There might be ways to mitigate in the future, such as running memcached
on multiple machines to ensure redundancy should the Keystone server
fail. In a clustered environment, it will only be an issue if all of the
memcached machines shutdown.
Memcachedb might also be a potential way to mitigate.
<a class="moz-txt-link-freetext" href="http://memcachedb.org/">http://memcachedb.org/</a>
NOTE: Some deployments may intentionally flush Memcached in response to
<a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/ossn/+bug/1179955">https://bugs.launchpad.net/ossn/+bug/1179955</a> - please exercise caution
when considering how to approach this problem.
### Recommended Actions ###
This is a fundamental problem with using in-memory ephemeral storage for
security information. If your deployment has strong security
requirements or a reliance on up-to-date revoked token information we
suggest you consider using an on-disk DB such as MySQL / PostgreSQL or
perhaps look into Memcachedb.
### Contacts / References ###
This OSSN : <a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/ossn/+bug/1182920">https://bugs.launchpad.net/ossn/+bug/1182920</a>
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack-ossg">https://launchpad.net/~openstack-ossg</a>
Robert Clark
Security Architect
HP Cloud Services
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openstack-security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
</body>
</html>