[Openstack-security] [Bug 1292283] Re: revocation events: deleting a token revokes all tokens with same expiration

OpenStack Infra 1292283 at bugs.launchpad.net
Tue Aug 26 16:47:55 UTC 2014 

Reviewed:  https://review.openstack.org/114864
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ea185a25a235d339d0d9282fbc08905fa1949b92
Submitter: Jenkins
Branch:    master

commit ea185a25a235d339d0d9282fbc08905fa1949b92
Author: Morgan Fainberg <morgan.fainberg at gmail.com>
Date:   Mon Aug 25 20:17:47 2014 -0700

    Revoke by Audit Id / Audit Id Chain instead of expires
    
    Instead of using the expiry of the token which can collide (is non
    unique in some/many cases) use the new Audit ID for the tokens when
    revoking a single token via the token revocation events.
    
    Support for revoking by the audit_chain_id has been added to the
    token provider, however, the REST API has not been updated to
    accept an argument to revoke the chain. Support for revoking
    the entire chain is in place to allow Keystone to internally
    revoke an entire chain in certain circumstances. Exposing the
    ability to revoke the entire chain via the REST API may occur
    based upon further design discussions.
    
    Change-Id: I840355ccd9bcfcd88aa139184731c056808c2c8f
    bp: non-persistent-tokens
    Closes-Bug: 1292283


** Changed in: keystone
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1292283

Title:
  revocation events: deleting a token revokes all tokens with same
  expiration

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Identity (Keystone):
  Fix Committed

Bug description:
  As part of the design process for revocation events it was determined
  that a mechanism to revoke all dependent tokens was needed. This
  covers the case of revoking a token and ensuring all tokens that were
  created from that token are also revoked.

  To accomplish this, the revocation of a specific token is done by
  expiration_time. The expiration_time attribute is never changed on
  subsequent tokens. This means it is easy to ensure revocation of an
  entire chain of tokens.

  This poses an issue if any specific token (or all tokens that are a
  child of a specific token) should be revoked, but the parent tokens
  should not be revoked.

  Use case:

  Get Unscoped token
  Get Scoped Token from Unscoped token
  Get New Scoped Token
  Revoke first unscoped token
  Now all tokens (including the Unscoped token) are revoked because they share an expiration_time.

  Likely there needs to be a solution that allows for revoking based
  upon expiration_time and issued_at and one that revokes on
  expiration_time alone. Revoking by expiration_time alone is API
  incompatible with previous API mechanisms (both V2 and V3).

  This is the reason bug https://bugs.launchpad.net/horizon/+bug/1291099
  was identified.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1292283/+subscriptions

More information about the Openstack-security mailing list