OpenStack Identity (keystone)

revoke token does not revoke the tokens created by the original

Bug #1155255 reported by Adam Young
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Unassigned

Bug Description

 We don't keep track of what token was used to create a token.
So If we revoke a specific token, and that token was used to create another token, the "downstream" token does not get revoked.

Revision history for this message
Dolph Mathews (dolph) wrote :

This also affects trusts; "in addition to revoking all tokens" you need "to revoke all tokens created by trusts of that trustor" -ayoung

Changed in keystone:
importance: Undecided → High
status: New → Triaged
Revision history for this message
Dolph Mathews (dolph) wrote :

Related to bug 1097995 -- deleting a domain should cascade to delete that domain's users, as well as revoking tokens created by trusts where the trustor is in the deleted domain (sorry that's so confusing!).

Revision history for this message
Thierry Carrez (ttx) wrote :

I'm not sure that's a vulnerability to be honest. I'm fine with fixing it -- just not convinced the current behavior should be seen as a vulnerability (in the same way as bug 1097995 is not seen as one).

You can still revoke those tokens manually, I suspect ? I guess that's a question of natural expectations. Is the revocation operation seen as atomic (revoke token), or functional (revoke this token and everything related to it) ? Unless we clearly advertised that the "revoke token" operation also revokes tokens created by this token, I think this is not vulnerability territory.

Changed in keystone:
status: Triaged → Incomplete
Revision history for this message
Adam Young (ayoung) wrote :

Then lets do this as "feature request" I'll open it as a separate bug if all approve.

summary: - revoke token does not revoke the tokens created buy the original
+ revoke token does not revoke the tokens created by the original
Revision history for this message
Russell Bryant (russellb) wrote :

Yeah, this doesn't seem like a vulnerability to me.

Revision history for this message
Thierry Carrez (ttx) wrote :

Opened

information type: Private Security → Public
Changed in keystone:
status: Incomplete → Confirmed
importance: High → Wishlist
Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in keystone:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
Revision history for this message
Adam Young (ayoung) wrote :

The work for this is well underway with the revocation events.

Changed in keystone:
assignee: Juan Antonio Osorio Robles (juan-osorio-robles) → Adam Young (ayoung)
Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

OK, thanks for the heads up. I was already looking into it.

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

Unassigning due to inactivity.

Changed in keystone:
assignee: Adam Young (ayoung) → nobody
Revision history for this message
Steve Martinelli (stevemar) wrote :

this is covered by revocation events and audit ids that have been around for a few releases

Changed in keystone:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.