Comment 25 for bug 1166670
Revision history for this message
| Dolph Mathews (dolph) wrote Re: Deleted user can still create instances | #25 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
1) When users are deleted, their existing tokens are not invalidated, so they stay valid for the duration of the token life ? Yes, the workaround here is to disable the user prior to deleting them, which will result in tokens being revoked as expected.
2) What is the default lifetime for a token? 24 hours; this is configurable via keystone.conf [token] expiration (defaults to 86400 seconds)
3) Which types of tokens are affected? PKI and UUID, both.
And as henry-nash pointed out, this only affects the delete user call on the v2 API, but both APIs will continue to validate pre-existing tokens. After a user is either disabled or deleted, they are not able to generate new tokens.