Bug #11367
Keystone PKI token expiration is not enforced
0%
Description
Our customer reported that their tokens do not seem to expire.
It seems that there is no expiration check after decoding a PKI token. While there is an expiration check in the token cache class it has no effect when dealing with PKI tokens.
I have made a small patch against firefly and it seems to correct the issue in our environment:
https://github.com/aakso/ceph/tree/wip-rgw-pki-token-expire-firefly
Related issues
Associated revisions
rgw: always check if token is expired
Fixes: #11367
Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.
This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()
Signed-off-by: Anton Aksola <anton.aksola@nebula.fi>
Reported-by: Riku Lehto <riku.lehto@nexetic.com>
rgw: always check if token is expired
Fixes: #11367
Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.
This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()
Signed-off-by: Anton Aksola <anton.aksola@nebula.fi>
Reported-by: Riku Lehto <riku.lehto@nexetic.com>
(cherry picked from commit 2df069390ea3bbcfbab5022750e89f51d197cc11)
rgw: always check if token is expired
Fixes: #11367
Currently token expiration is only checked by the token cache. With PKI
tokens no expiration check is done after decoding the token. This causes
PKI tokens to be valid indefinitely. UUID tokens are validated by
keystone after cache miss so they are not affected by this bug.
This commit adds explicit token expiration check to
RGWSwift::validate_keystone_token()
Signed-off-by: Anton Aksola <anton.aksola@nebula.fi>
Reported-by: Riku Lehto <riku.lehto@nexetic.com>
(cherry picked from commit 2df069390ea3bbcfbab5022750e89f51d197cc11)
History
#1 Updated by Yehuda Sadeh almost 5 years ago
The fix looks correct. Can you send a pull request against the ceph upstream repository, and add a Signed-off-by tag to the commit?
#2 Updated by Loic Dachary almost 5 years ago
- Status changed from New to Pending Backport
- Backport set to firefly
#3 Updated by Anton Aksola almost 5 years ago
- correct patch bug against the wrong branch, needs to be on master https://github.com/ceph/ceph/pull/4429
#4 Updated by Loic Dachary almost 5 years ago
- Status changed from Pending Backport to In Progress
- Regression set to No
#5 Updated by Anton Aksola almost 5 years ago
I tested the patch against master snapshot in our QA and it seems to work. Going to resubmit a merge request soon.
#6 Updated by Anton Aksola almost 5 years ago
New pull request: https://github.com/ceph/ceph/pull/4617
#7 Updated by Yehuda Sadeh almost 5 years ago
- Backport changed from firefly to hammer, firefly
#8 Updated by Yehuda Sadeh almost 5 years ago
- Status changed from In Progress to Pending Backport
#9 Updated by Yehuda Sadeh over 4 years ago
- Assignee set to Loic Dachary
#10 Updated by Yehuda Sadeh over 4 years ago
- Status changed from Pending Backport to Resolved