Based on today's keystone meeting and the above comments, I've reduced the priority of this to Medium across the board and marked this as Won't Fix in Keystone.
Although this is working as intended, we acknowledge that that intended behavior is poorly documented, and it seems an OSSN is the best route to rectify that. I'd be happy to work with whoever wants to write the OSSN - ping me in IRC (dolphm) or leave a comment here. ** Changed in: keystone Importance: Critical => Medium ** Changed in: keystone Status: In Progress => Won't Fix ** Changed in: keystone/juno Importance: Critical => Medium ** Changed in: keystone/juno Status: In Progress => Won't Fix ** Changed in: ossn Importance: Undecided => Medium -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1434034 Title: Disabling users & groups may not invalidate previously-issued tokens Status in Keystone: Won't Fix Status in Keystone juno series: Won't Fix Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: Confirmed Bug description: Even if the user is disabled, can use the last token is validated. 0. user foo is enable 1. get token (a) 2. user foo is disabled 3. foo can still use any APIs by token(a) that's all. This issue is not cache process. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp