yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1226225] Re: v2 token cache not correctly invalidated when using "Belongs To"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 02 Oct 2013 11:29:39 -0000
Reply-to: Bug 1226225 <1226225@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1226225

Title:
  v2 token cache not correctly invalidated when using "Belongs To"

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  v2 token deletion and validation methods take an optional "belongs_to"
  parameter, which is the tenant.  Due to how sensitive the dogpile
  caching is on the parameters to validate_token, this can lead to
  problems where a token cache is not correctly cleared, for example,
  the following (pseudo test) will fail:

  - create a scoped token for a user to a project
  - check the token is valid, just using the token ID (without passing in belongs_to).....[this sets the cache]
  - delete the token using the driver function delete_tokens, passing in user and tenant
  - check if token is still valid, just using token ID (it will be return successfully from the cache - which is incorrect)
  - check if token is still valid, token ID and tenant ID (it will not be found - which is correct)

  The problem is in invalidate_individual_token_cache in the token
  provider, which already tries to handle the case of invalidating a
  token with and without a belongs_to tenant....but doesn't catch the
  case when dogpile has cached the key as "tokenID, None" as the
  parameters.

  Thanks to morganfainberg for his help in debugging the above.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1226225/+subscriptions