← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1311142] [NEW] Cache records for get_*_by_name are not invalidated on entity rename

 

Public bug reported:

I have noticed in keystone code, that update_domain and update_project
methods in assignment_api Manager invalidate cache for get_*_by_name()
using new name, not the old one.

For example in update_domain() if you are changing domain name from
'OldName' to 'NewName', get_domain_by_name.invalidate() is called with
'NewName' as argument. See:

https://github.com/openstack/keystone/blob/1e948043fe2456bd91b398317c71c665d69e9935/keystone/assignment/core.py#L320

As a result the old name can be used in some requests until cache record
is expired. For example if you rename a domain, old name can still be
used for the authentication (note, caching should be enabled in keystone
configuration):

1. Define domain by its name during login:
curl -X POST -H 'Content-type: application/json' -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"name":"Alice","domain":{"name": "OldName"}, "password":"A12345678"}}}}}' -v http://192.168.56.101:5000/v3/auth/tokens

2. Change domain name:
curl -X PATCH -H 'Content-type: application/json' -H 'X-Auth-Token: indigitus' -d '{"domain":{"name":"NewName"}}' http://192.168.56.101:5000/v3/domains/7e0629d4e31b4c5591a4a10d0b8931df

3. Login using old domain name (copy command from step 1).

As a result Alice will be logged in, even though domain name specified
is not available anymore.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1311142

Title:
  Cache records for get_*_by_name are not invalidated on entity rename

Status in OpenStack Identity (Keystone):
  New

Bug description:
  I have noticed in keystone code, that update_domain and update_project
  methods in assignment_api Manager invalidate cache for get_*_by_name()
  using new name, not the old one.

  For example in update_domain() if you are changing domain name from
  'OldName' to 'NewName', get_domain_by_name.invalidate() is called with
  'NewName' as argument. See:

  https://github.com/openstack/keystone/blob/1e948043fe2456bd91b398317c71c665d69e9935/keystone/assignment/core.py#L320

  As a result the old name can be used in some requests until cache
  record is expired. For example if you rename a domain, old name can
  still be used for the authentication (note, caching should be enabled
  in keystone configuration):

  1. Define domain by its name during login:
  curl -X POST -H 'Content-type: application/json' -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"name":"Alice","domain":{"name": "OldName"}, "password":"A12345678"}}}}}' -v http://192.168.56.101:5000/v3/auth/tokens

  2. Change domain name:
  curl -X PATCH -H 'Content-type: application/json' -H 'X-Auth-Token: indigitus' -d '{"domain":{"name":"NewName"}}' http://192.168.56.101:5000/v3/domains/7e0629d4e31b4c5591a4a10d0b8931df

  3. Login using old domain name (copy command from step 1).

  As a result Alice will be logged in, even though domain name specified
  is not available anymore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1311142/+subscriptions


Follow ups

References