[Openstack-security] [Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens
Nathan Kinder
nkinder at redhat.com
Thu Apr 23 16:53:17 UTC 2015
I think this should be an OSSN (not an OSSA). I do agree that this is
more of a "tribal knowledge" item at this point, but we need to get the
word out abotu how it bahaves more broadly. I honestly don't think that
this is a solvable problem. The token validity period needs to be a
choice of acceptable risk (just as it is for things like a Kerberos
deployment).
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1434034
Title:
Disabling users & groups may not invalidate previously-issued tokens
Status in OpenStack Identity (Keystone):
In Progress
Status in Keystone juno series:
In Progress
Status in OpenStack Security Advisories:
Confirmed
Status in OpenStack Security Notes:
New
Bug description:
Even if the user is disabled, can use the last token is validated.
0. user foo is enable
1. get token (a)
2. user foo is disabled
3. foo can still use any APIs by token(a)
that's all.
This issue is not cache process.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions
More information about the Openstack-security
mailing list