Agreed this corner case needs to be better handled in future versions of
keystone.
** Changed in: ossa
Status: New => Won't Fix
** Information type changed from Public Security to Public
** Summary changed:
- Valid tokens remain after token's user was deleted
+ Valid tokens may remain after token's user was deleted
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329737
Title:
Valid tokens may remain after token's user was deleted
Status in OpenStack Identity (Keystone):
Triaged
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
When user is deleted, deleted user's tokens are expired after committing
transaction for deleting user.
If database dies while tokens are being expired, remaining tokens will lose
the chance to expire until 24 hours later.
(Because user is already deleted.)
In this case, remaining tokens are able to used to authenticate despite the
fact that token's user was deleted.
I think this case is dangerous from the security point of view.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329737/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
