| *** ykarel_ is now known as ykarel | 04:52 | |
| opendevreview | Merged openstack/keystone stable/2025.1: Add tests for restricted app cred guard https://review.opendev.org/c/openstack/keystone/+/985888 | 09:09 |
|---|---|---|
| opendevreview | Merged openstack/keystone stable/2025.1: Block restricted app creds from creating EC2 credentials via /credentials https://review.opendev.org/c/openstack/keystone/+/985922 | 10:31 |
| opendevreview | Merged openstack/keystone stable/2025.1: Block app cred tokens from authorizing OAuth1 requests https://review.opendev.org/c/openstack/keystone/+/985925 | 10:34 |
| opendevreview | Ivan Anfimov proposed openstack/keystone stable/2025.1: Enforce app cred project boundary on EC2 credential paths https://review.opendev.org/c/openstack/keystone/+/988237 | 10:36 |
| blanson[m] | Hello guys, while investigating some outage we had recently, we uncovered that openstack user set --password <password>, if run multiple times with the same password, would seem to invalidate tokens created prior to the password set for this user ? is this normal/expected behavior ? | 18:27 |
| gtema | blanson - yes, it is expected. Every time the password changes token issued with previous password is being revoked | 18:28 |
| blanson[m] | ok this is a design thing I don't get but everything's normal then, thank you ! | 18:29 |
| gtema | blanson - when you leak the password and need to rotate it asap you also want that previous password tokens are also invalidated. You have no other way | 18:32 |
| blanson[m] | yh thinking about it like that make it very obvious as to why it needs to be this way actually | 18:33 |
| blanson[m] | I only saw this behavior from the perspective of "my user creation process isn't idempotent and breaks my existing tokens", but the security implications are pretty clear | 18:33 |
| blanson[m] | thank you again for the fast answer ! | 18:34 |
| gtema | welcome | 18:34 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!