Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rgw: Keystone PKI token expiration is not enforced #4765

Merged
merged 1 commit into from Aug 11, 2015
Merged

rgw: Keystone PKI token expiration is not enforced #4765

merged 1 commit into from Aug 11, 2015

Conversation

smithfarm
Copy link
Contributor

@smithfarm
rgw: always check if token is expired
d4ef556 
Fixes: ceph#11367

Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.

This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()

Signed-off-by: Anton Aksola <anton.aksola@nebula.fi>
Reported-by: Riku Lehto <riku.lehto@nexetic.com>
(cherry picked from commit 2df0693)
@smithfarm smithfarm added this to the firefly milestone May 26, 2015
@smithfarm smithfarm self-assigned this May 26, 2015
@loic-bot
Copy link

SUCCESS: http://jenkins.ceph.dachary.org/job/ceph/5425/

@ghost ghost changed the title Keystone PKI token expiration is not enforced rgw: Keystone PKI token expiration is not enforced Jul 21, 2015
@smithfarm
Copy link
Contributor Author

@dachary This has passed first round of integration testing as detailed in http://tracker.ceph.com/issues/11644

@ghost
Copy link

ghost commented Jul 24, 2015

For the record this is http://tracker.ceph.com/issues/11644#teuthology-run-commitb2aaddd3a06ac13c46df659e1f2b3119f5675802-firefly-backports-july-2015

@smithfarm
Copy link
Contributor Author

@yehudasa: This commit has passed integration tests (http://tracker.ceph.com/issues/11644#teuthology-run-commitb2aaddd3a06ac13c46df659e1f2b3119f5675802-firefly-backports-july-2015) -- is it OK to merge? I'm asking you because you merged the master commit that this is a backport of: #4617

@yehudasa
Copy link
Member

@smithfarm yes

yehudasa added a commit that referenced this pull request Aug 11, 2015
@yehudasa
Merge pull request #4765 from SUSE/wip-11721-firefly
50fa963 
rgw: Keystone PKI token expiration is not enforced
@yehudasa yehudasa merged commit 50fa963 into ceph:firefly Aug 11, 2015
@smithfarm smithfarm deleted the wip-11721-firefly branch September 5, 2015 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smithfarm smithfarm

Labels
bug-fix rgw
Projects
None yet
Milestone
firefly
3 participants
@smithfarm @loic-bot @yehudasa