yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1349597] Re: Domain-scoped tokens don't get revoked

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 31 Jul 2014 09:33:10 -0000
Reply-to: Bug 1349597 <1349597@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Sounds legit. Is havana also affected ?

** Changed in: ossa
       Status: New => Confirmed

** Changed in: ossa
   Importance: Undecided => Medium

** Also affects: keystone/havana
   Importance: Undecided
       Status: New

** Also affects: keystone/icehouse
   Importance: Undecided
       Status: New

** Changed in: keystone/icehouse
       Status: New => Confirmed

** Changed in: keystone/havana
       Status: New => Incomplete

** Tags removed: icehouse-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1349597

Title:
  Domain-scoped tokens don't get revoked

Status in OpenStack Identity (Keystone):
  In Progress
Status in Keystone havana series:
  Incomplete
Status in Keystone icehouse series:
  Confirmed
Status in OpenStack Security Advisories:
  Confirmed

Bug description:
  
  If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked.

  This is because the code to calculate the fields for a domain-scoped
  token don't use the domain-scope so that information can't be used
  when testing against the revocation events.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1349597/+subscriptions

References

[Bug 1349597] [NEW] Domain-scoped tokens don't get revoked
From: Brant Knudson, 2014-07-28