Comment 17 for bug 1041396
Revision history for this message
| Thierry Carrez (ttx) wrote Re: Token validation includes revoked roles | #17 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Patches could use a bit of refactoring, to avoid the copy-paste of code.
Adding Mark to make sure that behavior change (invalidate all the user tokens whenever a role is granted or revoked) would be acceptable for stable/essex.
Fixed proposed description:
"""
Title: Revoking a role does not affect existing tokens
Impact: High
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue.
"""