yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #05835
[Bug 1179955] Re: Disabling a tenant would not disable a user token
** Changed in: keystone/grizzly
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1179955
Title:
Disabling a tenant would not disable a user token
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone folsom series:
Fix Committed
Status in Keystone grizzly series:
Fix Released
Status in OpenStack Security Notes:
Fix Released
Status in “keystone” package in Gentoo Linux:
Fix Released
Bug description:
Using keystone/python-keystoneclient master as of today when disabling
a tenant would not disable the users attached to the and would still
have access.
I would not mind to fix it but I want to make sure first if this is
something done by design or I am missing something.
Here is a transcript of my tests :
# Here is the list of my tenants all enabled and nice (devstack default)
chmouel@vm:~$ keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 1f1aeeace0db41e3966a4873877c4dde | admin | True |
| b39f8b007abe472b93ebb5c7fdd80c98 | demo | True |
| 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin | True |
| 13fe49ee5e0144d0acd0c89fb901a248 | service | True |
+----------------------------------+--------------------+---------+
# Let's store the DEMO_TENANT_ID for later
chmouel@vm:~$ DEMO_TENANT=b39f8b007abe472b93ebb5c7fdd80c98
# getting a token with this script available here http://p.chmouel.com/ks which
chmouel@vm:~$ ks localhost demo:demo ADMIN
[...]
# Using the token I can access to my swift account properly all good here.
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: text/html; charset=UTF-8
X-Account-Object-Count: 0
X-Trans-Id: tx390b2fb557fb4cb48a082-0051923f3b
Date: Tue, 14 May 2013 13:42:19 GMT
# Now let's try to disable that tenant
chmouel@vm:~$ keystone tenant-update --enabled false ${DEMO_TENANT}
# tenant is disabled all good
chmouel@vm:~$ keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 1f1aeeace0db41e3966a4873877c4dde | admin | True |
| b39f8b007abe472b93ebb5c7fdd80c98 | demo | False |
| 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin | True |
| 13fe49ee5e0144d0acd0c89fb901a248 | service | True |
+----------------------------------+--------------------+---------+
# we still have access with that same token since it's properly in memcache
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: text/html; charset=UTF-8
X-Account-Object-Count: 0
X-Trans-Id: txf9d27a7a8a034304b13cb-0051923f6f
Date: Tue, 14 May 2013 13:43:11 GMT
# let's restart memcache to clear it
chmouel@vm:~$ sudo /etc/init.d/memcached restart
Restarting memcached: memcached.
# but we still have access.
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: text/html; charset=UTF-8
X-Account-Object-Count: 0
X-Trans-Id: txbe0c0caf533a4f6e98345-0051923f97
Date: Tue, 14 May 2013 13:43:51 GMT
the json reply when validating token says that the tenant is still
enabled even if it's disabled :
u'tenant': {u'description': None, u'enabled': True, u'id':
u'b39f8b007abe472b93ebb5c7fdd80c98', u'name': u'demo'}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179955/+subscriptions