[Openstack-security] [Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens

Morgan Fainberg morgan.fainberg at gmail.com
Thu Apr 23 16:38:34 UTC 2015


For the record, I'm fine with this being either OSSN or OSSA. This
should be clearly communicated.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1434034

Title:
  Disabling users & groups may not invalidate previously-issued tokens

Status in OpenStack Identity (Keystone):
  In Progress
Status in Keystone juno series:
  In Progress
Status in OpenStack Security Advisories:
  Confirmed
Status in OpenStack Security Notes:
  New

Bug description:
  Even if the user is disabled, can use the last token is validated.

  0. user foo is enable
  1. get token (a)
  2. user foo  is disabled
  3. foo can still use any APIs by token(a)

  that's all.
  This issue is not cache process.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions




More information about the Openstack-security mailing list