Keystone client token cache doesn't respect revoked tokens
Bug #1287301 reported by
Alexei Kornienko
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned | ||
python-keystoneclient |
Fix Released
|
Medium
|
Adam Young |
Bug Description
If we'll enable caching for keystoneclient tokens we'll be able to use tokens that are already revoked if they are present in cache:
steps to recreate:
1) get a token
2) use it to make a request via keystoneclient using default properties (thus it will be cached)
3) delete the token
4) use the token to make another request via keystoneclient
expected result: the token should not work (HTTP 401)
actual result: the token still works
Changed in ossa: | |
status: | New → Incomplete |
affects: | keystone → python-keystoneclient |
information type: | Private Security → Public Security |
Changed in python-keystoneclient: | |
milestone: | none → 0.7.0 |
importance: | Undecided → Critical |
Changed in python-keystoneclient: | |
assignee: | nobody → Alexei Kornienko (alexei-kornienko) |
status: | New → In Progress |
Changed in python-keystoneclient: | |
assignee: | Alexei Kornienko (alexei-kornienko) → Adam Young (ayoung) |
Changed in python-keystoneclient: | |
milestone: | 0.7.0 → 0.7.1 |
Changed in python-keystoneclient: | |
milestone: | 0.7.1 → none |
Changed in python-keystoneclient: | |
milestone: | none → 0.9.0 |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
There is a fix available - https:/ /review. openstack. org/#/c/ 78241/