Open Stack

setting a higher value for token_cache_time and a lower value for
revocation_cache_time (assuming we start using the revocation list here
as proposed by https://review.openstack.org/#/c/78241/) would allow you
to gain the performance improvement of not having to re-request tokens
as often while satisfying the security requirement that revocation take
effect in a timely manner. Yes, the revocation list is being requested
more frequently, and may offset some of the performance gains from
caching tokens. But the revocation list can be used to validate any
token, so multiple tokens could be validated over the life of the cached
revocation list, instead of each token validation requiring a call back
to keystone should token_cache_time be similarly reduced.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1287301

Title:
  Keystone client token cache doesn't respect revoked tokens

Status in OpenStack Security Advisories:
  Invalid
Status in Python client library for Keystone:
  In Progress

Bug description:
  If we'll enable caching for keystoneclient tokens we'll be able to use
  tokens that are already revoked if they are present in cache:

  https://github.com/openstack/python-
  keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831

  steps to recreate:
  1) get a token
  2) use it to make a request via keystoneclient using default properties (thus it will be cached)
  3) delete the token
  4) use the token to make another request via keystoneclient

  expected result: the token should not work (HTTP 401)
  actual result: the token still works

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions