← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #16706

[Bug 1335037] [NEW] get token fail also consume trust use

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I think we should consume trust use only when getting token sucuess. But, currently if I get token fail the trust use will also be consumed. For example:
curl -i -H "Content-Type:application/json" http://127.0.0.1:35357/v3/auth/tokens -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}'

If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the trust(bcbddcc479304a8a8c39df24a87cce85), get  token will fail:
{"error": {"message": "User is not a trustee. (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

But, the remaining uses of the trust will be consumed.

This is because we call "trust_api.consume_use" before
"token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375,
and issue_v3_token may be fail for some reasons.

** Affects: keystone
     Importance: Undecided
     Assignee: wanghong (w-wanghong)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => wanghong (w-wanghong)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1335037

Title:
  get token fail also consume trust use

Status in OpenStack Identity (Keystone):
  New

Bug description:
  I think we should consume trust use only when getting token sucuess. But, currently if I get token fail the trust use will also be consumed. For example:
  curl -i -H "Content-Type:application/json" http://127.0.0.1:35357/v3/auth/tokens -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}'

  If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the trust(bcbddcc479304a8a8c39df24a87cce85), get  token will fail:
  {"error": {"message": "User is not a trustee. (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

  But, the remaining uses of the trust will be consumed.

  This is because we call "trust_api.consume_use" before
  "token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375,
  and issue_v3_token may be fail for some reasons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1335037/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next