Caching with stale data when a server disconnects due to network partition and reconnects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
High
|
Morgan Fainberg | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
keystonemiddleware |
Triaged
|
High
|
Morgan Fainberg | ||
oslo.cache |
Fix Released
|
High
|
Morgan Fainberg |
Bug Description
The flush_on_reconnect optional flag is not used. This can cause stale data to be utilized from a cache server that disconnected due to a network partition. This has security concerns as follows:
1* Password changes/user changes may be reverted for the cache TTL
1a* User may get locked out if PCI-DSS is on and the password change happens during the network
partition.
2* Grant changes may be reverted for the cache TTL
3* Resources (all types) may become "undeleted" for the cache TTL
4* Tokens (KSM) may become valid again during the cache TTL
As noted in the python-memcached library:
@param flush_on_reconnect: optional flag which prevents a
than one memcached server and the connection to one is
keys will map to it again. If it still has its data, get()s
can read stale data that was overwritten on another
server. This flag is off by default for backwards
The solution is to explicitly pass flush_on_reconnect as an optional argument. A concern with this model is that the memcached servers may be utilized by other tooling and may lose cache state (in the case the oslo.cache connection is the only thing affected by the network partitioning).
This similarly needs to be addressed in pymemcache when it is utilized in lieu of python-memcached.
tags: | added: caching security |
Changed in keystone: | |
importance: | Undecided → High |
Changed in keystonemiddleware: | |
importance: | Undecided → High |
Changed in oslo.cache: | |
importance: | Undecided → High |
Changed in keystone: | |
assignee: | nobody → Morgan Fainberg (mdrnstm) |
Changed in keystonemiddleware: | |
assignee: | nobody → Morgan Fainberg (mdrnstm) |
Changed in oslo.cache: | |
assignee: | nobody → Morgan Fainberg (mdrnstm) |
Changed in keystone: | |
milestone: | none → stein-rc1 |
Changed in keystone: | |
status: | New → Triaged |
Changed in keystonemiddleware: | |
status: | New → Triaged |
Changed in keystone: | |
milestone: | stein-rc1 → stein-rc2 |
Changed in keystone: | |
milestone: | stein-rc2 → none |
"A concern with this model is that the memcached servers may be utilized by other tooling and may lose cache state (in the case the oslo.cache connection is the only thing affected by the network partitioning)."
That may be, but I'd rather have an empty but consistent cache than a full but incorrect one. Hopefully network partitions aren't a particularly common occurrence anyway.
So I guess +1 on setting this option.