Comment 21 for bug 1287301

The earlier link somehow did not showed in the email. Some analysis i have done
on this topic: Threats Vs Performanace

https://drive.google.com/file/d/0B1aEVfmQtqnoM0luMFpMMXh4RkE/edit?usp=sharing

…shohel

On 13 Mar 2014, at 14:29, Abu Shohel Ahmed <email address hidden> wrote:

> Some pros and cons analysis on this topic. What are the related threats and
> their impacts.
>
>
>
>
> …shohel
>
>
> On 12 Mar 2014, at 18:35, Matthew Edmonds <email address hidden> wrote:
>
>> setting a higher value for token_cache_time and a lower value for
>> revocation_cache_time (assuming we start using the revocation list here
>> as proposed by https://review.openstack.org/#/c/78241/) would allow you
>> to gain the performance improvement of not having to re-request tokens
>> as often while satisfying the security requirement that revocation take
>> effect in a timely manner. Yes, the revocation list is being requested
>> more frequently, and may offset some of the performance gains from
>> caching tokens. But the revocation list can be used to validate any
>> token, so multiple tokens could be validated over the life of the cached
>> revocation list, instead of each token validation requiring a call back
>> to keystone should token_cache_time be similarly reduced.
>>
>> --
>> You received this bug notification because you are a member of OpenStack
>> Security Group, which is subscribed to OpenStack.
>> https://bugs.launchpad.net/bugs/1287301
>>
>> Title:
>> Keystone client token cache doesn't respect revoked tokens
>>
>> Status in OpenStack Security Advisories:
>> Invalid
>> Status in Python client library for Keystone:
>> In Progress
>>
>> Bug description:
>> If we'll enable caching for keystoneclient tokens we'll be able to use
>> tokens that are already revoked if they are present in cache:
>>
>> https://github.com/openstack/python-
>> keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
>>
>> steps to recreate:
>> 1) get a token
>> 2) use it to make a request via keystoneclient using default properties (thus it will be cached)
>> 3) delete the token
>> 4) use the token to make another request via keystoneclient
>>
>> expected result: the token should not work (HTTP 401)
>> actual result: the token still works
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
>>
>> _______________________________________________
>> Openstack-security mailing list
>> <email address hidden>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
> ** Attachment added: "Token_Access_scenario_CACHE Sheet1.pdf"
> https://bugs.launchpad.net/bugs/1287301/+attachment/4022028/+files/Token_Access_scenario_CACHE%20Sheet1.pdf
>
> --
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https://bugs.launchpad.net/bugs/1287301
>
> Title:
> Keystone client token cache doesn't respect revoked tokens
>
> Status in OpenStack Security Advisories:
> Invalid
> Status in Python client library for Keystone:
> In Progress
>
> Bug description:
> If we'll enable caching for keystoneclient tokens we'll be able to use
> tokens that are already revoked if they are present in cache:
>
> https://github.com/openstack/python-
> keystoneclient/blob/0.6.0/keystoneclient/middleware/auth_token.py#L831
>
> steps to recreate:
> 1) get a token
> 2) use it to make a request via keystoneclient using default properties (thus it will be cached)
> 3) delete the token
> 4) use the token to make another request via keystoneclient
>
> expected result: the token should not work (HTTP 401)
> actual result: the token still works
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ossa/+bug/1287301/+subscriptions
>
> _______________________________________________
> Openstack-security mailing list
> <email address hidden>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security