yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan@xxxxxxxxxxxxx>]

Public bug reported:

As part of the design process for revocation events it was determined
that a mechanism to revoke all dependent tokens was needed. This covers
the case of revoking a token and ensuring all tokens that were created
from that token are also revoked.

To accomplish this, the revocation of a specific token is done by
expiration_time. The expiration_time attribute is never changed on
subsequent tokens. This means it is easy to ensure revocation of an
entire chain of tokens.

This poses an issue if any specific token (or all tokens that are a
child of a specific token) should be revoked, but the parent tokens
should not be revoked.

Use case:

Get Unscoped token
Get Scoped Token from Unscoped token
Get New Scoped Token
Revoke first unscoped token
Now all tokens (including the Unscoped token) are revoked because they share an expiration_time.

Likely there needs to be a solution that allows for revoking based upon
expiration_time and issued_at and one that revokes on expiration_time
alone. Revoking by expiration_time alone is API incompatible with
previous API mechanisms (both V2 and V3).

This is the reason bug https://bugs.launchpad.net/horizon/+bug/1291099
was identified.

** Affects: keystone
     Importance: High
     Assignee: Adam Young (ayoung)
         Status: Triaged

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => High

** Changed in: keystone
     Assignee: (unassigned) => Adam Young (ayoung)

** Changed in: keystone
    Milestone: None => next

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1292283

Title:
  revocation events: deleting a token revokes all tokens with same
  expiration

Status in OpenStack Identity (Keystone):
  Triaged

Bug description:
  As part of the design process for revocation events it was determined
  that a mechanism to revoke all dependent tokens was needed. This
  covers the case of revoking a token and ensuring all tokens that were
  created from that token are also revoked.

  To accomplish this, the revocation of a specific token is done by
  expiration_time. The expiration_time attribute is never changed on
  subsequent tokens. This means it is easy to ensure revocation of an
  entire chain of tokens.

  This poses an issue if any specific token (or all tokens that are a
  child of a specific token) should be revoked, but the parent tokens
  should not be revoked.

  Use case:

  Get Unscoped token
  Get Scoped Token from Unscoped token
  Get New Scoped Token
  Revoke first unscoped token
  Now all tokens (including the Unscoped token) are revoked because they share an expiration_time.

  Likely there needs to be a solution that allows for revoking based
  upon expiration_time and issued_at and one that revokes on
  expiration_time alone. Revoking by expiration_time alone is API
  incompatible with previous API mechanisms (both V2 and V3).

  This is the reason bug https://bugs.launchpad.net/horizon/+bug/1291099
  was identified.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1292283/+subscriptions