We need a couple of keystone-core reviews on these patches.
Here is a draft description. Right now it's mostly one long awkward sentence. There's probably a more elegant way of describing it ...
Title: Revoking a role does not affect existing tokens
Impact: High
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. If you revoke a role from a user from the admin API and then validate a token that existed before revoking the role, the token validation response will still include that role.
We need a couple of keystone-core reviews on these patches.
Here is a draft description. Right now it's mostly one long awkward sentence. There's probably a more elegant way of describing it ...
Title: Revoking a role does not affect existing tokens
Impact: High
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. If you revoke a role from a user from the admin API and then validate a token that existed before revoking the role, the token validation response will still include that role.