Comment 8 for bug 1041396
Revision history for this message
| Russell Bryant (russellb) wrote Re: Token validation includes revoked roles | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
So it looks like memcache is the only token backend that would still have this problem? We should note that in the description. If someone is using the memcache backend, presumably they are accepting this shortcoming. Are they going to get annoyed with getting this warning in their log over and over? Perhaps it should only be logged once?
Updated description:
Title: Revoking a role does not affect existing tokens
Impact: High
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated.
The proposed patch invalidates all tokens held by a user upon role grant/revoke to circumvent the issue. Note that due to how the memcache token backend works, it will still be affected by this issue.