yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #16382
[Bug 1311142] Re: Cache records for get_*_by_name are not invalidated on entity rename
** Also affects: keystone/havana
Importance: Undecided
Status: New
** Also affects: keystone/icehouse
Importance: Undecided
Status: New
** Changed in: keystone/havana
Importance: Undecided => Medium
** Changed in: keystone/icehouse
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1311142
Title:
Cache records for get_*_by_name are not invalidated on entity rename
Status in OpenStack Identity (Keystone):
Fix Committed
Status in Keystone havana series:
New
Status in Keystone icehouse series:
New
Bug description:
I have noticed in keystone code, that update_domain and update_project
methods in assignment_api Manager invalidate cache for get_*_by_name()
using new name, not the old one.
For example in update_domain() if you are changing domain name from
'OldName' to 'NewName', get_domain_by_name.invalidate() is called with
'NewName' as argument. See:
https://github.com/openstack/keystone/blob/1e948043fe2456bd91b398317c71c665d69e9935/keystone/assignment/core.py#L320
As a result the old name can be used in some requests until cache
record is expired. For example if you rename a domain, old name can
still be used for the authentication (note, caching should be enabled
in keystone configuration):
1. Define domain by its name during login:
curl -X POST -H 'Content-type: application/json' -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"name":"Alice","domain":{"name": "OldName"}, "password":"A12345678"}}}}}' -v http://192.168.56.101:5000/v3/auth/tokens
2. Change domain name:
curl -X PATCH -H 'Content-type: application/json' -H 'X-Auth-Token: indigitus' -d '{"domain":{"name":"NewName"}}' http://192.168.56.101:5000/v3/domains/7e0629d4e31b4c5591a4a10d0b8931df
3. Login using old domain name (copy command from step 1).
As a result Alice will be logged in, even though domain name specified
is not available anymore.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1311142/+subscriptions
References