OpenStack Identity (keystone)

Bug #1166670
Comment #28

Comment 28 for bug 1166670

Revision history for this message

Henry Nash (henry-nash) wrote on 2013-04-29: Re: [Bug 1166670] Re: Deleted user can still create instances

#28

Looks good - although maybe move the workaround description before the sentence where we say that v3 is unaffected - making it more obvious that you only need the workaround for v2.

Henry
On 29 Apr 2013, at 11:12, Thierry Carrez wrote:

> Here is proposed impact description, please doublecheck.
>
> @Sam, do you want us to credit a specific company for the discovery, in
> addition to your name ?
>
> ================================================
> Title: Keystone tokens not immediately invalidated when user is deleted
> Reporter: Sam Stoelinga
> Products: Keystone
> Affects: All versions
>
> Description:
> Sam Stoelinga reported a vulnerability in Keystone. When users are deleted through Keystone v2 API, existing tokens for those users are not immediately invalidated and remain valid for the duration of the token's life (by default, up to 24 hours). This may result in users retaining access when the administrator of the system thought them disabled. Keystone setups using the v3 API call to delete users are unaffected. You can workaround this issue by disabling a user before deleting it: in that case the tokens belonging to the disabled user are immediately invalidated.
> ================================================
>
> --
> You received this bug notification because you are a member of Keystone
> Core Developers, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1166670
>
> Title:
> Deleted user can still create instances
>
> Status in OpenStack Identity (Keystone):
> Confirmed
>
> Bug description:
> Description:
> A deleted user is still able to create instances and do other stuff if he's still logged in.
>
> Steps to reproduce:
> 1. Login with admin user in Chrome
> 2. Login with demo user in Firefox
> 3. Use the admin user to delete the demo user
> 4. Go back to firefox and use the demo user to create an instance for example
>
> Current result:
> Demo user in firefox stays logged in and can create instances, but I guess he can do anything he want with his token
>
> Expected result:
> Demo user shouldn't be able to still create instances, or do other stuff. Instead he should be automatically logged out as soon as we notice that he's already deleted.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1166670/+subscriptions
>

Looks good - although maybe move the workaround description before the sentence where we say that v3 is unaffected - making it more obvious that you only need the workaround for v2.

Henry
On 29 Apr 2013, at 11:12, Thierry Carrez wrote:

> Here is proposed impact description, please doublecheck.
> 
> @Sam, do you want us to credit a specific company for the discovery, in
> addition to your name ?
> 
> ================================================
> Title: Keystone tokens not immediately invalidated when user is deleted
> Reporter: Sam Stoelinga
> Products: Keystone
> Affects: All versions
> 
> Description:
> Sam Stoelinga reported a vulnerability in Keystone. When users are deleted through Keystone v2 API, existing tokens for those users are not immediately invalidated and remain valid for the duration of the token's life (by default, up to 24 hours). This may result in users retaining access when the administrator of the system thought them disabled. Keystone setups using the v3 API call to delete users are unaffected. You can workaround this issue by disabling a user before deleting it: in that case the tokens belonging to the disabled user are immediately invalidated.
> ================================================
> 
> -- 
> You received this bug notification because you are a member of Keystone
> Core Developers, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1166670
> 
> Title:
>  Deleted user can still create instances
> 
> Status in OpenStack Identity (Keystone):
>  Confirmed
> 
> Bug description:
>  Description:
>  A deleted user is still able to create instances and do other stuff if he's still logged in.
> 
>  Steps to reproduce:
>  1. Login with admin user in Chrome
>  2. Login with demo user in Firefox
>  3. Use the admin user to delete the demo user
>  4. Go back to firefox and use the demo user to create an instance for example
> 
>  Current result:
>  Demo user in firefox stays logged in and can create instances, but I guess he can do anything he want with his token
> 
>  Expected result:
>  Demo user shouldn't be able to still create instances, or do other stuff. Instead he should be automatically logged out as soon as we notice that he's already deleted.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1166670/+subscriptions
>