Comment 22 for bug 1434034
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote Re: Even if the user is disabled, can use the last token is validated | #22 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
@thierry,
Unfortunately, in this case that is incorrect. The part split out to keystone middleware bug is a deferred invalidation. The bug here is that in the case of a read-only ldap backend (e.g. Active directory), if a user or group is disabled/
This means that interactions with APIs that are not keystone (nova, glance, etc) will continue to work for the life of the token. The interaction with the keystone api should be prevented in some cases (some Apis check if user from the context exists).
The only token provider unaffected is the new fernet tokens because keystone must lookup the user / groups to validate the token.
Even if this is fixed for UUID tokens, PKI tokens will still see this gap for non-Keystone APIs when the pki token is validated at the endpoint, since there is no active way for keystone to communicate that a user was disabled directly in the backend. Read-only ldap idenity is a common deployment mode.