[Openstack-security] [Bug 1329737] Re: Valid tokens remain after token's user was deleted
Dolph Mathews
1329737 at bugs.launchpad.net
Fri Jun 13 16:18:49 UTC 2014
We'll be utilizing https://blueprints.launchpad.net/keystone/+spec
/revocation-events in Juno, which will better address this.
** Tags added: security
** Changed in: keystone
Status: New => Triaged
** Changed in: keystone
Importance: Undecided => Medium
** Changed in: keystone
Milestone: None => juno-3
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1329737
Title:
Valid tokens remain after token's user was deleted
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
When user is deleted, deleted user's tokens are expired after committing transaction for deleting user.
If database dies while tokens are being expired, remaining tokens will lose the chance to expire until 24 hours later.
(Because user is already deleted.)
In this case, remaining tokens are able to used to authenticate despite the fact that token's user was deleted.
I think this case is dangerous from the security point of view.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329737/+subscriptions
More information about the Openstack-security
mailing list