[OSSA 2012-010] Tokens remain valid after a user account is disabled

Bug #997194 reported by Derek Higgins on 2012-05-09
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Derek Higgins
Essex
Undecided
Alan Pevec
OpenStack Security Advisory
Undecided
Thierry Carrez
keystone (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

> ./tools/with_venv.sh python ./keystoneclient/shell.py token-get
No handlers could be found for logger "keystoneclient.v2_0.client"
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2012-05-10T16:17:27Z |
| id | 71f47f87993f4d41804d694886232c79 |
| tenant_id | b0b68a8de4d141d7afbde2683ae1a075 |
| user_id | e20d930d58c44b1e89ea93593fc43413 |
+-----------+----------------------------------+

> ./tools/with_venv.sh python ./keystoneclient/shell.py user-update --enabled false e20d930d58c44b1e89ea93593fc43413

> ./tools/with_venv.sh python ./keystoneclient/shell.py token-get
No handlers could be found for logger "keystoneclient.client"
Authorization Failed: User has been disabled (HTTP 403)

> curl -X GET http://127.0.0.1:35357/v2.0/tokens/71f47f87993f4d41804d694886232c79 -H 'X_AUTH_TOKEN: ADMIN' -H 'Content-Type: application/json'
{"access": {"token": {"expires": "2012-05-10T16:17:27Z", "id": "71f47f87993f4d41804d694886232c79", "tenant": {"id": "b0b68a8de4d141d7afbde2683ae1a075", "enabled": true, "description": null, "name": "test"}}, "user": {"username": "test", "roles_links": [], "id": "e20d930d58c44b1e89ea93593fc43413", "roles": [{"id": "81b6624332054062bd2a379539ff70a6", "name": "user"}], "name": "test"}}}

Derek Higgins (derekh) on 2012-05-09
Changed in keystone:
assignee: nobody → Derek Higgins (derekh)

Fix proposed to branch: master
Review: https://review.openstack.org/7344

Changed in keystone:
status: New → In Progress
Thierry Carrez (ttx) on 2012-05-16
security vulnerability: no → yes
Changed in keystone:
importance: Undecided → Wishlist
Devin Carlen (devcamcar) on 2012-05-19
Changed in keystone:
milestone: none → folsom-1

Reviewed: https://review.openstack.org/7344
Committed: http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626
Submitter: Jenkins
Branch: master

commit 628149b3dc6b58b91fd08e6ca8d91c728ccb8626
Author: Derek Higgins <email address hidden>
Date: Fri May 11 13:42:43 2012 +0100

    Invalidate user tokens when a user is disabled

    Fixes Bug 997194

    Delete valid tokens for a user when they have been disabled

    Moved logic to delete tokens into update_user, as this can be called
    directly form the REST API.

    Also checks if a user is enabled when creating a token from another
    token, this helps in cases there the backend didn't support listing of
    tokens (and as a result weren't deleted)

    Change-Id: Ib5ed73a7873bfa66ef31bf6d0f0322f50e677688

Changed in keystone:
status: In Progress → Fix Committed
Alan Pevec (apevec) on 2012-05-21
tags: added: essex-backport-potential
Thierry Carrez (ttx) on 2012-05-23
Changed in keystone:
status: Fix Committed → Fix Released
Alan Pevec (apevec) on 2012-06-11
tags: added: essex-backport
removed: essex-backport-potential

Reviewed: https://review.openstack.org/8456
Committed: http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454
Submitter: Jenkins
Branch: stable/essex

commit d9600434da14976463a0bd03abd8e0309f0db454
Author: Derek Higgins <email address hidden>
Date: Fri May 11 13:42:43 2012 +0100

    Invalidate user tokens when a user is disabled

    Fixes Bug 997194

    Delete valid tokens for a user when they have been disabled

    Moved logic to delete tokens into update_user, as this can be called
    directly form the REST API.

    Also checks if a user is enabled when creating a token from another
    token, this helps in cases there the backend didn't support listing of
    tokens (and as a result weren't deleted)

    Change-Id: Ib5ed73a7873bfa66ef31bf6d0f0322f50e677688

@Russell: Retrospectively looks like something we should communicate about too. How about an OSSA together with bug 998185 ?

Russell Bryant (russellb) wrote :

Yeah, this one is a bit more serious. I think an OSSA is warranted here. If we're doing it for this, including bug 998185 with it too makes sense to me.

Flip a coin to see who writes the OSSA?

Dave Walker (davewalker) on 2012-08-24
Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in keystone (Ubuntu Precise):
status: New → Confirmed

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Keystone has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Trunk review: https://review.openstack.org/7344
Stable review: https://review.openstack.org/8456

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Test coverage log.

tags: added: verification-done

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package keystone - 2012.1+stable~20120824-a16a0ab9-0ubuntu2

---------------
keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2) precise-proposed; urgency=low

  * New upstream release (LP: #1041120):
    - debian/patches/0013-Flush-tenant-membership-deletion-before-user.patch:
      Dropped.
  * Resynchronize with stable/essex:
    - authenticate in ldap backend doesn't return a list of roles
      (LP: #1035428)
    - LDAP should not check username on "sn" field (LP: #997700)
    - Admin API doesn't valid token. (LP: #1006815, #1006822)
    - Memcache token backend eventually stops working. (LP: #1012381)
    - EC2 credentials not migrated from legacy (diablo) database. (LP: #1016056)
    - Deleting tenants or users does not cleanup metadata. (LP: #973243)
    - Deleting tenants does not cleanup its user associations. (LP: #974199)
    - TokenNotFound not raised in testsuite beacuse of timezone issues. (LP: #983800)
    - Token authentication for a user in a disabled tenant does not raise
      Unauthorized error. (LP: #988920)
    - export_legacy_catalog doesn't convert url names correctly. (LP: #994936)
    - Following a password compromise and subsequent password change,
      tokens remain valid. (LP: #996595)
    - Tokens remain valid after a user account is disabled. (LP: #997194)
 -- Adam Gandelman <email address hidden> Fri, 24 Aug 2012 03:34:59 -0400

Changed in keystone (Ubuntu Precise):
status: Confirmed → Fix Released
Thierry Carrez (ttx) on 2012-09-27
Changed in keystone:
milestone: folsom-1 → 2012.2
Thierry Carrez (ttx) on 2013-06-07
summary: - Tokens remain valid after a user account is disabled
+ [OSSA 2012-010] Tokens remain valid after a user account is disabled
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers