New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rgw: Keystone PKI token expiration is not enforced #4765

Merged
merged 1 commit into from Aug 11, 2015

Conversation

Projects
None yet
4 participants
@smithfarm
Contributor

smithfarm commented May 26, 2015

rgw: always check if token is expired
Fixes: #11367

Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.

This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()

Signed-off-by: Anton Aksola <anton.aksola@nebula.fi>
Reported-by: Riku Lehto <riku.lehto@nexetic.com>
(cherry picked from commit 2df0693)

@smithfarm smithfarm added this to the firefly milestone May 26, 2015

@smithfarm smithfarm self-assigned this May 26, 2015

@ghost ghost changed the title from Keystone PKI token expiration is not enforced to rgw: Keystone PKI token expiration is not enforced Jul 21, 2015

@smithfarm

This comment has been minimized.

Contributor

smithfarm commented Jul 24, 2015

@dachary This has passed first round of integration testing as detailed in http://tracker.ceph.com/issues/11644

@smithfarm

This comment has been minimized.

Contributor

smithfarm commented Jul 24, 2015

@yehudasa: This commit has passed integration tests (http://tracker.ceph.com/issues/11644#teuthology-run-commitb2aaddd3a06ac13c46df659e1f2b3119f5675802-firefly-backports-july-2015) -- is it OK to merge? I'm asking you because you merged the master commit that this is a backport of: #4617

@yehudasa

This comment has been minimized.

Member

yehudasa commented Aug 11, 2015

yehudasa added a commit that referenced this pull request Aug 11, 2015

Merge pull request #4765 from SUSE/wip-11721-firefly
rgw: Keystone PKI token expiration is not enforced

@yehudasa yehudasa merged commit 50fa963 into ceph:firefly Aug 11, 2015

@smithfarm smithfarm deleted the SUSE:wip-11721-firefly branch Sep 5, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment