yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #37131
[Bug 1484237] Re: token revocations not always respected when using fernet tokens
I agree this seems like a very impractical/unlikely vulnerability in any
real-world deployment, so class C1 in our report taxonomy:
https://security.openstack.org/vmt-process.html#incident-report-taxonomy
** Information type changed from Private Security to Public
** Tags added: security
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1484237
Title:
token revocations not always respected when using fernet tokens
Status in Keystone:
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
A simple test that shows that fernet tokens are not always being
invalidated.
Simple test steps:
1) gets a token
2) deletes a token
3) tries to validate the deleted token
When I run this in production on 10 tokens, I get about a 20% success
rate on the token being detected as invalid, 80% of the time, keystone
tells me the token is valid.
I have validated that the token is showing in the revocation event
table.
I've tried a 5 second delay between the calls which did not change the
behavior.
My current script (below) will look for 204 and 404 to show failure
and will wait forever. I've let it wait over 5 minutes, it seems to me
that either keystone knows immediately that the token is invalid or
not at all.
I do not have memcache enabled on these nodes.
The same test has a 100% pass rate with UUID tokens.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484237/+subscriptions