yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1317302] Re: pki_setup shouldn't be required to check revocations

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1317302@xxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Feb 2016 10:47:11 -0000
Reply-to: Bug 1317302 <1317302@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/260153
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c18763669178cd0d00cca9021e0e88568b546a72
Submitter: Jenkins
Branch:    master

commit c18763669178cd0d00cca9021e0e88568b546a72
Author: Brant Knudson <bknudson@xxxxxxxxxx>
Date:   Mon Dec 21 13:32:34 2015 -0600

    Parameter to return audit ids only in revocation list
    
    The revocation list will only include audit IDs and not token
    IDs if ?audit_id_only is on the request. Also, the data won't be
    obfuscated since the audit_ids aren't useful for auth. If the clients
    (typically auth_token) only request the revocation list with audit IDs
    only then the deployer doesn't have to do pki_setup to use the
    revocation list.
    
    Closes-Bug: 1317302
    Change-Id: I197df21098f545b27163c9456917491561b53abb


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1317302

Title:
  pki_setup shouldn't be required to check revocations

Status in OpenStack Identity (keystone):
  Fix Released
Status in keystonemiddleware:
  In Progress

Bug description:
  
  With the fix for bug 1312858 , auth_token can validate UUID tokens or hashed PKI tokens against the revocation list. But in order to use this in a setting where only UUID tokens are being used, the server still needs to have pki_setup run. We should be able to check UUID tokens against the revocation list even when pki_setup hasn't been done.

  The reason pki_setup has to be done is that the revocation list is
  signed using CMS. The auth_token middleware only accepts the signed
  format for the revocation list.

  The proposed solution is to change the auth_token middleware to also
  accept a revocation list that's not signed. If it's not signed, then
  the PKI certificates aren't required.

  The keystone server will be changed to allow configuring it such that
  the revocation list will be sent as an unencrypted JSON object that
  the auth_token middleware can now accept.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1317302/+subscriptions

References

[Bug 1317302] [NEW] pki_setup shouldn't be required to check revocations
From: Brant Knudson, 2014-05-07