Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rgw: Keystone PKI token expiration is not enforced #4884

Merged
1 commit merged into from Jul 8, 2015

Conversation

Projects
None yet
4 participants
@theanalyst
Copy link
Member

commented Jun 7, 2015

rgw: always check if token is expired
Fixes: #11367

Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.

This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()

Signed-off-by: Anton Aksola <anton.aksola@nebula.fi>
Reported-by: Riku Lehto <riku.lehto@nexetic.com>
(cherry picked from commit 2df0693)

@theanalyst theanalyst self-assigned this Jun 7, 2015

@theanalyst theanalyst added this to the hammer milestone Jun 7, 2015

@theanalyst theanalyst added bug fix core rgw and removed core labels Jun 7, 2015

@theanalyst theanalyst assigned yehudasa and theanalyst and unassigned theanalyst and yehudasa Jul 6, 2015

@theanalyst

This comment has been minimized.

Copy link
Member Author

commented Jul 6, 2015

@yehudasa This has passed the first run of integration tests for hammer backports, tracked at http://tracker.ceph.com/issues/11990#rgw Do you think it is ready to merge?

@yehudasa

This comment has been minimized.

Copy link
Member

commented Jul 6, 2015

ghost pushed a commit that referenced this pull request Jul 8, 2015

Loic Dachary
Merge pull request #4884 from theanalyst/wip-11722-hammer
Keystone PKI token expiration is not enforced

Reviewed-by: Yehuda Sadeh <yehuda@redhat.com>

@ghost ghost merged commit e33af22 into ceph:hammer Jul 8, 2015

@ghost ghost changed the title Keystone PKI token expiration is not enforced rgw: Keystone PKI token expiration is not enforced Aug 4, 2015

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.