Comment 3 for bug 1041396

Revision history for this message
Russell Bryant (russellb) wrote : Re: Token validation includes revoked roles

We need a couple of keystone-core reviews on these patches.

Here is a draft description. Right now it's mostly one long awkward sentence. There's probably a more elegant way of describing it ...

Title: Revoking a role does not affect existing tokens
Impact: High
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom

Description:
Dolph Mathews reported a vulnerability in Keystone. If you revoke a role from a user from the admin API and then validate a token that existed before revoking the role, the token validation response will still include that role.