token revocations not always respected when using fernet tokens
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
werner mendizabal | ||
Kilo |
Won't Fix
|
Medium
|
Dolph Mathews | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
A simple test that shows that fernet tokens are not always being invalidated.
Simple test steps:
1) gets a token
2) deletes a token
3) tries to validate the deleted token
When I run this in production on 10 tokens, I get about a 20% success rate on the token being detected as invalid, 80% of the time, keystone tells me the token is valid.
I have validated that the token is showing in the revocation event table.
I've tried a 5 second delay between the calls which did not change the behavior.
My current script (below) will look for 204 and 404 to show failure and will wait forever. I've let it wait over 5 minutes, it seems to me that either keystone knows immediately that the token is invalid or not at all.
I do not have memcache enabled on these nodes.
The same test has a 100% pass rate with UUID tokens.
Changed in keystone: | |
status: | New → Confirmed |
Changed in keystone: | |
assignee: | nobody → Dolph Mathews (dolph) |
tags: | added: kilo-backport-potential |
Changed in keystone: | |
status: | Confirmed → In Progress |
tags: | removed: kilo-backport-potential |
Changed in keystone: | |
milestone: | none → liberty-rc1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-rc1 → 8.0.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.