Keystone v2.0 api accepts tokens deleted with v3 api
Bug #1464377 reported by
Josh Kleinpeter
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Expired
|
High
|
Unassigned | ||
Juno |
Fix Released
|
Undecided
|
Unassigned | ||
Kilo |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Keystone tokens that are deleted using the v3 api are still accepted by
the v2 api. Steps to reproduce:
1. Request a scoped token as a member of a tenant.
2. Delete it using DELETE /v3/auth/tokens
3. Request the tenants you can access with GET v2.0/tenants
4. The token is accepted and keystone returns the list of tenants
The token was a PKI token. Admin tokens appear to be deleted correctly.
This could be a problem if a user's access needs to be revoked but they
are still able to access v2 functions.
tags: | added: pki |
Changed in keystone: | |
importance: | Undecided → High |
no longer affects: | ossa |
information type: | Private Security → Public |
description: | updated |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.