yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1170186] Re: Unscoped tokens are revoked when assigning a role to a user

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1170186@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Aug 2013 19:59:17 -0000
Reply-to: Bug 1170186 <1170186@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/grizzly
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1170186

Title:
  Unscoped tokens are revoked when assigning a role to a user

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone grizzly series:
  Fix Released

Bug description:
  Back in Folsom, when a user creates a project and add himself onto
  that project, only the scoped token gets revoked and then we reuse the
  unscoped token to reauthenticate so that the user won't be logged out
  of the system.

  In grizzly, adding a user to a project would result to all his tokens
  being revoked even the unscoped ones. I've also tried Keystone V3
  hoping that token scoping on domains would solve my problem but still
  the same thing happens

  My test:
  Token: UUID
  I've created a bunch of tokens with different scopes, some scoped to domain and some with projects

  mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
  +---------------------------------------------------------+-------+
  | id                                                                         | valid |
  +---------------------------------------------------------+-------+
  | 067bb96c5ee3491c916c4db73693dfff     |     1 | ----> Unscoped token
  | 3ba0ee57018c400f925d680068eb797e   |     1 |   ----> Scoped token
  | cdb6fe2a1d23477f8bb4339afc7ae2ec      |     1 |----> Unscoped token
  | e0f66872d37b4c8bab41e63a35313867    |     1 |  ----> Scoped Token
  +---------------------------------------------------------+-------+

  --------> Then I added that user to a project

  mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
  Empty set (0.00 sec)

  --------> All tokens no matter what scope became invalid

  This also relates to the bugs filed in Horizon

  https://bugs.launchpad.net/horizon/+bug/1060426
  https://bugs.launchpad.net/horizon/+bug/1166794

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1170186/+subscriptions