yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #20072
[Bug 1335037] Re: Remaining trust uses are consumed even when create token fails
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => juno-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1335037
Title:
Remaining trust uses are consumed even when create token fails
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
I think we should consume trust use only when getting token sucuess. But, currently if I get token fail the trust use will also be consumed. For example:
curl -i -H "Content-Type:application/json" http://127.0.0.1:35357/v3/auth/tokens -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}'
If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the trust(bcbddcc479304a8a8c39df24a87cce85), get token will fail:
{"error": {"message": "User is not a trustee. (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
But, the remaining uses of the trust will be consumed.
This is because we call "trust_api.consume_use" before
"token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375,
and issue_v3_token may be fail for some reasons.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1335037/+subscriptions
References