yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1329737] Re: Valid tokens remain after token's user was deleted

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Mon, 16 Jun 2014 14:04:00 -0000
Reply-to: Bug 1329737 <1329737@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: ossa
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329737

Title:
  Valid tokens remain after token's user was deleted

Status in OpenStack Identity (Keystone):
  Triaged
Status in OpenStack Security Advisories:
  New

Bug description:
  When user is deleted, deleted user's tokens are expired after committing transaction for deleting user.
  If database dies while tokens are being expired, remaining tokens will lose the chance to expire until 24 hours later.
  (Because user is already deleted.)
  In this case, remaining tokens are able to used to authenticate despite the fact that token's user was deleted.

  I think this case is dangerous from the security point of view.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329737/+subscriptions