yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1434034@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Sep 2015 18:24:36 -0000
Reply-to: Bug 1434034 <1434034@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Based on today's keystone meeting and the above comments, I've reduced
the priority of this to Medium across the board and marked this as Won't
Fix in Keystone.

Although this is working as intended, we acknowledge that that intended
behavior is poorly documented, and it seems an OSSN is the best route to
rectify that.

I'd be happy to work with whoever wants to write the OSSN - ping me in
IRC (dolphm) or leave a comment here.

** Changed in: keystone
   Importance: Critical => Medium

** Changed in: keystone
       Status: In Progress => Won't Fix

** Changed in: keystone/juno
   Importance: Critical => Medium

** Changed in: keystone/juno
       Status: In Progress => Won't Fix

** Changed in: ossn
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1434034

Title:
  Disabling users & groups may not invalidate previously-issued tokens

Status in Keystone:
  Won't Fix
Status in Keystone juno series:
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Confirmed

Bug description:
  Even if the user is disabled, can use the last token is validated.

  0. user foo is enable
  1. get token (a)
  2. user foo  is disabled
  3. foo can still use any APIs by token(a)

  that's all.
  This issue is not cache process.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions