OpenStack Security Notes

  1. Bug #1434034
  2. Comment #8

Comment 8 for bug 1434034

Revision history for this message
Yukihiro KAWADA (warp-kawada) wrote : Re: Even if the user is disabled, can use the last token is validated

First, I doubted the cache.
So, of course I checked set to nova.token_cache_time=-1.
Actually keystonemiddleware did not use cache.

# configurable duration (in seconds). Set to -1 to disable
# caching completely. (integer value)
#token_cache_time=300
# Y.Kawada
token_cache_time=-1

And I re-checked.
token_cache_time=1 is same result.

I was confirmed using keystone client not operate the database directly.

keystone --debug user-update --enabled false 568cdf76c85a457bae3a7f8bc15fd72d
Then, result was same.
I can use nova list after 1sec or 300 sec.

keystone token-get;date
+-----------+----------------------------------+
| Property | Value |
 +-----------+----------------------------------+
| expires | 2015-03-24T04:19:45Z |
| id | 83242b13093544b5bf1ef629cc372485 |
| tenant_id | 26b0778356a343739578dcebbf48c486 |
| user_id | 568cdf76c85a457bae3a7f8bc15fd72d |
 Mon, 23 Mar 2015 04:20:11 GMT

keystone --debug user-update --enabled false 568cdf76c85a457bae3a7f8bc15fd72d; date
User has been updated.
Mon Mar 23 13:20:43 JST 2015

curl -i 'http://nova-host:8774/v2/xxxxxxxxxxxxxxxxx/servers/detail' -X GET -H "Accept: application/json" -H "User-Agent: python-novaclient" -H "X-Auth-Project-Id: vps_kawada" -H "X-Auth-Token: 83242b13093544b5bf1ef629cc372485";date
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1667
X-Compute-Request-Id: req-d0aeb86a-471c-4b5e-b830-74d5893af02a
Date: Mon, 23 Mar 2015 04:44:19 GMT
{"servers": [{"status": "ACTIVE", "updated": "2015-03-19T01:22:30Z", "hostId": "
:
 "metadata": {}}]}
Mon Mar 23 13:44:19 JST 2015