restarting memcached loses revoked token list
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
High
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
With the memcached backend to tokens, the revoked token list only lasts as long as the memcached server is up and running. Thus, if the Keystone server is restarted, all token revocations are dropped, and they will not show up in later token revocation list requests.
To reproduce:
0. Set up keystone using the memcached backend to tokens
1. Create a token and ensure that it can be used via auth_token middleware
2. Revoke the token
3. fetch the revocation list and ensure that the token is listed
4. restart Keystone
5. fetch the revocation list and see that the token is not listed
6. wait until the token revocation list has timed out and reissue request to a different remote service, token will be processed as valid.
There are some mitigating factors. Just submitting the revoked token to the same service after keystone has restarted will not show the error if the service is using memcached to hold the revocation list. Restarting the memcache instance used by the remote server will dump the revocation list, and the problem will then appear.
I have not yet verified this problem, but it follows from memcache.
Keystone uses a local memcache instance. If it were to be set up to use a remote memcache service, it would take restarting memcache to trigger the problem, and not keystone.
This affects PKI tokens only. UUID tokens are not affected: restarting memcached will drop them all, and they will report as invalid tokens.
The KVS backend is affected as well.
Changed in ossa: | |
status: | New → Incomplete |
no longer affects: | ossa |
information type: | Private Security → Public |
Changed in ossn: | |
status: | In Progress → Fix Released |
Changed in keystone: | |
status: | Confirmed → Triaged |
Adding keystone-core for patching