yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1179955] Re: Disabling a tenant would not disable a user token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 05 Sep 2013 09:24:21 -0000
Reply-to: Bug 1179955 <1179955@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => havana-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1179955

Title:
  Disabling a tenant would not disable a user token

Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Using keystone/python-keystoneclient master as of today when disabling
  a tenant would not disable the users attached to the and would still
  have access.

  I would not mind to fix it but I want to make sure first if this is
  something done by design or I am missing something.

  Here is a transcript of my tests :

  # Here is the list of my tenants all enabled and nice (devstack default)
  chmouel@vm:~$ keystone tenant-list
  +----------------------------------+--------------------+---------+
  |                id                |        name        | enabled |
  +----------------------------------+--------------------+---------+
  | 1f1aeeace0db41e3966a4873877c4dde |       admin        |   True  |
  | b39f8b007abe472b93ebb5c7fdd80c98 |        demo        |   True  |
  | 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin |   True  |
  | 13fe49ee5e0144d0acd0c89fb901a248 |      service       |   True  |
  +----------------------------------+--------------------+---------+

  # Let's store the DEMO_TENANT_ID for later
  chmouel@vm:~$ DEMO_TENANT=b39f8b007abe472b93ebb5c7fdd80c98

  # getting a token with this script available here http://p.chmouel.com/ks which
  chmouel@vm:~$ ks localhost demo:demo ADMIN 
  [...]

  # Using the token I can access to my swift account properly all good here. 
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: tx390b2fb557fb4cb48a082-0051923f3b
  Date: Tue, 14 May 2013 13:42:19 GMT

  # Now let's try to disable that tenant
  chmouel@vm:~$ keystone tenant-update --enabled false ${DEMO_TENANT}

  # tenant is disabled all good
  chmouel@vm:~$ keystone tenant-list
  +----------------------------------+--------------------+---------+
  |                id                |        name        | enabled |
  +----------------------------------+--------------------+---------+
  | 1f1aeeace0db41e3966a4873877c4dde |       admin        |   True  |
  | b39f8b007abe472b93ebb5c7fdd80c98 |        demo        |  False  |
  | 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin |   True  |
  | 13fe49ee5e0144d0acd0c89fb901a248 |      service       |   True  |
  +----------------------------------+--------------------+---------+

  # we still have access with that same token since it's properly in memcache
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: txf9d27a7a8a034304b13cb-0051923f6f
  Date: Tue, 14 May 2013 13:43:11 GMT

  # let's restart memcache to clear it
  chmouel@vm:~$ sudo /etc/init.d/memcached restart
  Restarting memcached: memcached.

  # but we still have access.
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: txbe0c0caf533a4f6e98345-0051923f97
  Date: Tue, 14 May 2013 13:43:51 GMT

  the json reply when validating token says that the tenant is  still
  enabled even if it's disabled :

  u'tenant': {u'description': None, u'enabled': True, u'id':
  u'b39f8b007abe472b93ebb5c7fdd80c98', u'name': u'demo'}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179955/+subscriptions