2012-12-03 23:28:04 |
Kieran Spear |
bug |
|
|
added bug |
2012-12-04 21:28:43 |
Gabriel Hurley |
horizon: importance |
Undecided |
Low |
|
2012-12-04 21:28:43 |
Gabriel Hurley |
horizon: status |
New |
Confirmed |
|
2012-12-04 21:28:43 |
Gabriel Hurley |
horizon: milestone |
|
grizzly-2 |
|
2013-01-06 23:46:27 |
Gabriel Hurley |
horizon: milestone |
grizzly-2 |
grizzly-3 |
|
2013-02-09 23:33:39 |
Gabriel Hurley |
horizon: milestone |
grizzly-3 |
|
|
2013-08-23 20:50:47 |
David Lyle |
bug task added |
|
django-openstack-auth |
|
2013-08-23 20:50:59 |
David Lyle |
django-openstack-auth: importance |
Undecided |
Low |
|
2013-08-23 20:51:03 |
David Lyle |
django-openstack-auth: status |
New |
Confirmed |
|
2014-12-12 15:14:37 |
Vlad Okhrimenko |
horizon: assignee |
|
Vlad Okhrimenko (vokhrimenko) |
|
2014-12-12 15:14:42 |
Vlad Okhrimenko |
django-openstack-auth: assignee |
|
Vlad Okhrimenko (vokhrimenko) |
|
2014-12-15 12:59:52 |
Timur Sufiev |
summary |
openstack_auth caches roles and service catalog until logout |
User is not logged out once his token is revoked by keystone |
|
2014-12-15 13:03:13 |
Timur Sufiev |
description |
Wasn't sure where to target this bug since the code lives elsewhere...
The openstack_auth backend caches credentials in the session when a user logs in and never updates roles or the service catalog until the next time the user logs in.
This means that added/revoked permissions require action from the user to take effect, and revoked permissions can potentially stick around forever. Ultimately Keystone has the final say in what a user is allowed to do to each OpenStack service, but any dashboard code that relies on the permissions mechanism for access control is vulnerable here.
I think by default the list of roles should be checked once on every request, with a settings option to enable caching for a limited period if required. |
Once user's token is revoked (due to, for example reducing user's set of roles in current tenant), on the next request he is not logged out, but instead gets a bunch of 'Unauthorized' errors. Not redirecting user in that case to log-in page does not make sense because he can't do anything useful without valid token. |
|
2014-12-17 16:15:00 |
OpenStack Infra |
horizon: status |
Confirmed |
In Progress |
|
2015-01-09 17:19:07 |
OpenStack Infra |
django-openstack-auth: status |
Confirmed |
In Progress |
|
2015-01-30 09:57:45 |
Andrey Larionov |
bug |
|
|
added subscriber Andrey Larionov |
2015-01-30 10:54:39 |
Timur Sufiev |
django-openstack-auth: status |
In Progress |
Invalid |
|
2015-01-30 10:54:44 |
Timur Sufiev |
django-openstack-auth: importance |
Low |
Undecided |
|
2015-01-30 10:54:46 |
Timur Sufiev |
django-openstack-auth: assignee |
Vlad Okhrimenko (vokhrimenko) |
|
|
2015-01-30 10:55:07 |
Timur Sufiev |
horizon: assignee |
Vlad Okhrimenko (vokhrimenko) |
Paul Karikh (pkarikh) |
|
2015-03-11 15:34:48 |
Paul Karikh |
marked as duplicate |
|
1252341 |
|