yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1211388] Re: Assignment API confirms user in Identity API

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 05 Sep 2013 09:28:58 -0000
Reply-to: Bug 1211388 <1211388@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => havana-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1211388

Title:
  Assignment API confirms user in Identity API

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  In get_roles_for_user_and_domain   and get_roles_for_user_and_project,
  the assignment API calls into the Identity API to confirm that the
  user exists. This call is makes it impossible to implement external
  authentication where the user is queried solely based on their current
  credential.  Also, this call is not required, as the user liveness
  will and should be checked earlier in the token creation process.

  If it is important for a certain API call to check if a user uis
  active, it should be part of the controler call and not part of the
  core function.

  These calls are expensive; the make an additional RPC to the Database
  or Directory store.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1211388/+subscriptions