[Openstack-security] [OSSN][DRAFT] Restarting memcached loses revoked token list

Clark, Robert Graham robert.clark at hp.com
Thu Aug 8 09:22:58 UTC 2013 

Is there anything you'd like me to add / change – compared to most the bug report was pretty detailed

From: "ayoung at redhat.com<mailto:ayoung at redhat.com>" <ayoung at redhat.com<mailto:ayoung at redhat.com>>
Date: Thursday, 8 August 2013 00:50
To: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
Subject: Re: [Openstack-security] [OSSN][DRAFT] Restarting memcached loses revoked token list

This looks pretty much like the write up I put in the bug report.


On 08/07/2013 09:22 AM, Clark, Robert Graham wrote:

[Draft] Please review and add content as you feel appropriate

Restarting memcached loses revoked token list
----

### Summary ###
When a cloud is deployed using Memcache as a backend for Keystone tokens
there is a security concern that restarting Memcached will loose the
list of revoked tokens, potentially allowing bad tokens / users to
access the system after they had been revoked.


### Affected Services / Software ###
Keystone, Memcache

### Discussion ###
There might be ways to mitigate in the future, such as running memcached
on multiple machines to ensure redundancy should the Keystone server
fail. In a clustered environment, it will only be an issue if all of the
memcached machines shutdown.

Memcachedb might also be a potential way to mitigate.
http://memcachedb.org/

NOTE: Some deployments may intentionally flush Memcached in response to
https://bugs.launchpad.net/ossn/+bug/1179955 - please exercise caution
when considering how to approach this problem.

### Recommended Actions ###
This is a fundamental problem with using in-memory ephemeral storage for
security information. If your deployment has strong security
requirements or a reliance on up-to-date revoked token information we
suggest you consider using an on-disk DB such as MySQL / PostgreSQL or
perhaps look into Memcachedb.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1182920
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

Robert Clark
Security Architect
HP Cloud Services






_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

More information about the Openstack-security mailing list