Bug ID 606072: User deletion doesn't delete tokens issued for that user at max 15 seconds

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Fixed In:
13.0.0

Opened: Jul 20, 2016
Severity: 3-Major

Symptoms

REST Framework polls for any changes in user every 15 seconds. When user is removed from MCP directly using tmsh or BIG-IP GUI, for REST that user will be still valid for at most 15 seconds. So any authentication tokens issued will not be invalidated and all REST API requests will work as that user remains valid until user deletion is synced.

Impact

After user deletion from MCP, tokens issued for that user will not immediately deleted from REST

Conditions

This occurs when users are deleted and the user is still using iControl REST.

Workaround

After user deletion, customer need to wait at most 15 seconds for change to take effect in REST API

Fix Information

When user is removed from REST, all tokens issued for that user is invalidated immediately. If a user is removed from MCP either using TMUI or tmsh, that change will be synced to REST after 15 seconds in the worse case.

Behavior Change

Auth token is removed upon user deletion.