OpenStack Identity (keystone)

Comment 27 for bug 1166670

Revision history for this message

Sam Stoelinga (sammiestoel) wrote on 2013-04-29: Re: [Bug 1166670] Re: Deleted user can still create instances

#27

Seems my company still doesn't like working upstream so better not, just my
name is fine.

Thx
On Apr 29, 2013 6:20 PM, "Thierry Carrez" <email address hidden>
wrote:

> Here is proposed impact description, please doublecheck.
>
> @Sam, do you want us to credit a specific company for the discovery, in
> addition to your name ?
>
> ================================================
> Title: Keystone tokens not immediately invalidated when user is deleted
> Reporter: Sam Stoelinga
> Products: Keystone
> Affects: All versions
>
> Description:
> Sam Stoelinga reported a vulnerability in Keystone. When users are deleted
> through Keystone v2 API, existing tokens for those users are not
> immediately invalidated and remain valid for the duration of the token's
> life (by default, up to 24 hours). This may result in users retaining
> access when the administrator of the system thought them disabled. Keystone
> setups using the v3 API call to delete users are unaffected. You can
> workaround this issue by disabling a user before deleting it: in that case
> the tokens belonging to the disabled user are immediately invalidated.
> ================================================
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1166670
>
> Title:
> Deleted user can still create instances
>
> Status in OpenStack Identity (Keystone):
> Confirmed
>
> Bug description:
> Description:
> A deleted user is still able to create instances and do other stuff if
> he's still logged in.
>
> Steps to reproduce:
> 1. Login with admin user in Chrome
> 2. Login with demo user in Firefox
> 3. Use the admin user to delete the demo user
> 4. Go back to firefox and use the demo user to create an instance for
> example
>
> Current result:
> Demo user in firefox stays logged in and can create instances, but I
> guess he can do anything he want with his token
>
> Expected result:
> Demo user shouldn't be able to still create instances, or do other
> stuff. Instead he should be automatically logged out as soon as we notice
> that he's already deleted.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1166670/+subscriptions
>

Seems my company still doesn't like working upstream so better not, just my
name is fine.

Thx
On Apr 29, 2013 6:20 PM, "Thierry Carrez" <thierry.carrez+lp@gmail.com>
wrote:

> Here is proposed impact description, please doublecheck.
>
> @Sam, do you want us to credit a specific company for the discovery, in
> addition to your name ?
>
> ================================================
> Title: Keystone tokens not immediately invalidated when user is deleted
> Reporter: Sam Stoelinga
> Products: Keystone
> Affects: All versions
>
> Description:
> Sam Stoelinga reported a vulnerability in Keystone. When users are deleted
> through Keystone v2 API, existing tokens for those users are not
> immediately invalidated and remain valid for the duration of the token's
> life (by default, up to 24 hours). This may result in users retaining
> access when the administrator of the system thought them disabled. Keystone
> setups using the v3 API call to delete users are unaffected. You can
> workaround this issue by disabling a user before deleting it: in that case
> the tokens belonging to the disabled user are immediately invalidated.
> ================================================
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1166670
>
> Title:
>   Deleted user can still create instances
>
> Status in OpenStack Identity (Keystone):
>   Confirmed
>
> Bug description:
>   Description:
>   A deleted user is still able to create instances and do other stuff if
> he's still logged in.
>
>   Steps to reproduce:
>   1. Login with admin user in Chrome
>   2. Login with demo user in Firefox
>   3. Use the admin user to delete the demo user
>   4. Go back to firefox and use the demo user to create an instance for
> example
>
>   Current result:
>   Demo user in firefox stays logged in and can create instances, but I
> guess he can do anything he want with his token
>
>   Expected result:
>   Demo user shouldn't be able to still create instances, or do other
> stuff. Instead he should be automatically logged out as soon as we notice
> that he's already deleted.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1166670/+subscriptions
>