OpenStack Identity (keystone)

Bug #1464377
Comment #6

Comment 6 for bug 1464377

Revision history for this message

Josh Kleinpeter (jkleinpeter) wrote on 2015-07-06: Re: [Bug 1464377] Re: Keystone v2.0 api accepts tokens deleted with v3 api

No objections here. Sorry for lack of response, I don't really have more
detailed information :/

On Mon, Jul 6, 2015 at 9:52 AM, Tristan Cacqueray <email address hidden>
wrote:

> Unless someone objects, we will remove the ossa task and open this bug
> report by the end of the week.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1464377
>
> Title:
> Keystone v2.0 api accepts tokens deleted with v3 api
>
> Status in OpenStack Identity (Keystone):
> Incomplete
> Status in OpenStack Security Advisories:
> Incomplete
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> Keystone tokens that are deleted using the v3 api are still accepted by
> the v2 api. Steps to reproduce:
>
> 1. Request a scoped token as a member of a tenant.
> 2. Delete it using DELETE /v3/auth/tokens
> 3. Request the tenants you can access with GET v2.0/tenants
> 4. The token is accepted and keystone returns the list of tenants
>
> The token was a PKI token. Admin tokens appear to be deleted correctly.
> This could be a problem if a user's access needs to be revoked but they
> are still able to access v2 functions.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1464377/+subscriptions
>

No objections here. Sorry for lack of response, I don't really have more
detailed information :/

On Mon, Jul 6, 2015 at 9:52 AM, Tristan Cacqueray <tdecacqu@redhat.com>
wrote:

> Unless someone objects, we will remove the ossa task and open this bug
> report by the end of the week.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1464377
>
> Title:
>   Keystone v2.0 api accepts tokens deleted with v3 api
>
> Status in OpenStack Identity (Keystone):
>   Incomplete
> Status in OpenStack Security Advisories:
>   Incomplete
>
> Bug description:
>   This issue is being treated as a potential security risk under
>   embargo. Please do not make any public mention of embargoed (private)
>   security vulnerabilities before their coordinated publication by the
>   OpenStack Vulnerability Management Team in the form of an official
>   OpenStack Security Advisory. This includes discussion of the bug or
>   associated fixes in public forums such as mailing lists, code review
>   systems and bug trackers. Please also avoid private disclosure to
>   other individuals not already approved for access to this information,
>   and provide this same reminder to those who are made aware of the
>   issue prior to publication. All discussion should remain confined to
>   this private bug report, and any proposed fixes should be added to the
>   bug as attachments.
>
>   Keystone tokens that are deleted using the v3 api are still accepted by
>   the v2 api. Steps to reproduce:
>
>   1. Request a scoped token as a member of a tenant.
>   2. Delete it using DELETE /v3/auth/tokens
>   3. Request the tenants you can access with GET v2.0/tenants
>   4. The token is accepted and keystone returns the list of tenants
>
>   The token was a PKI token. Admin tokens appear to be deleted correctly.
>   This could be a problem if a user's access needs to be revoked but they
>   are still able to access v2 functions.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1464377/+subscriptions
>