Disabling users & groups may not invalidate previously-issued tokens
Bug #1434034 reported by
Yukihiro KAWADA
This bug report is a duplicate of:
Bug #1435530: keystonemiddleware without TRL checking and default cache config can allow access after token revocation.
Edit
Remove
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Morgan Fainberg | ||
Juno |
Won't Fix
|
Medium
|
Morgan Fainberg | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Confirmed
|
Medium
|
Doug Chivers |
Bug Description
Even if the user is disabled, can use the last token is validated.
0. user foo is enable
1. get token (a)
2. user foo is disabled
3. foo can still use any APIs by token(a)
that's all.
This issue is not cache process.
Changed in keystone: | |
status: | Triaged → In Progress |
assignee: | nobody → Morgan Fainberg (mdrnstm) |
information type: | Private Security → Public |
Changed in ossn: | |
assignee: | nobody → Dave Walker (davewalker) |
Changed in ossn: | |
assignee: | Dave Walker (davewalker) → Doug Chivers (doug-chivers) |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.