Token is not revoked after logout in Fuel UI
Bug #1375622 reported by
Łukasz Oleś
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Committed
|
Medium
|
Vitaly Kramskikh |
Bug Description
In 5.1 release access control was introduced for Fuel master node. Keystone is used for authentication. When user is using Fuel UI, he need to provide user name and password and he gets authorization token which allows him to use Fuel UI.
When user presses logout link his token is cleared from cache, but is not deleted.
Is token somehow was stolen it can be used until it's not expired.
Proposed solution:
When user logout his token should be revoked. If for some reason keystone is not accessible at this moment, there shouldn't be an any error.
Changed in fuel: | |
importance: | Undecided → Critical |
Changed in fuel: | |
assignee: | nobody → Fuel UI Team (fuel-ui) |
Changed in fuel: | |
assignee: | Fuel UI Team (fuel-ui) → Przemyslaw Kaminski (pkaminski) |
Changed in fuel: | |
assignee: | Przemyslaw Kaminski (pkaminski) → Vitaly Kramskikh (vkramskikh) |
status: | Fix Committed → In Progress |
Changed in fuel: | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/125933
Review: https:/