keystonemiddleware without TRL checking and default cache config can allow access after token revocation

This bug was split from https://bugs.launchpad.net/keystone/+bug/1434034

duplicate of https://bugs.launchpad.net/python-keystoneclient/+bug/1287301 , IMO.

I agree it looks like it could be dup.

Anyway I still added the OSSA task to this bug and marked it incomplete pending a discussion with VMT on how to handle.

I couldn't find where the OSSG published a OSSN for bug 1287301 so it might be worth doing this time around if it was missed last time.

If I understand correctly the worse case scenario here is a slightly deferred token invalidation, which I would not consider OSSA (advisory) material (could be considered "working as designed"). It is certainly OSSN (security note / documentation) material though.

Given the impact and in order to facilitate work on this, I propose we open this bug publicly.

100% spot on Thierry. And I agree we open this to the public. I deferred that choice to the VMT though.

Brant, bug 1287301 affects keystone setups with a TRL while this one affects setups without TRL... Though the behavior is basically the same.

+1 to open this and remove the OSSA task.

OK, it's public now.

This is by design, but we have a chance to improve the behavior with token revocation events.

This is a case where an OSSN and eliminating awful defaults will make behavior less bad. The fact that a similar issue in the past did not have an OSSN was the main reason this was raised as it was.

I agree that an OSSN would be appropriate.

Review link: https://review.openstack.org/#/c/219922/

This has been published as OSSN-0056:

  https://wiki.openstack.org/wiki/OSSN/OSSN-0056

This is relatively by design. See previous comments.