yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1335037] Re: Remaining trust uses are consumed even when create token fails

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Sep 2014 14:32:21 -0000
Reply-to: Bug 1335037 <1335037@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => juno-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1335037

Title:
  Remaining trust uses are consumed even when create token fails

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  I think we should consume trust use only when getting token sucuess. But, currently if I get token fail the trust use will also be consumed. For example:
  curl -i -H "Content-Type:application/json" http://127.0.0.1:35357/v3/auth/tokens -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}'

  If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the trust(bcbddcc479304a8a8c39df24a87cce85), get  token will fail:
  {"error": {"message": "User is not a trustee. (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

  But, the remaining uses of the trust will be consumed.

  This is because we call "trust_api.consume_use" before
  "token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375,
  and issue_v3_token may be fail for some reasons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1335037/+subscriptions

References

[Bug 1335037] [NEW] get token fail also consume trust use
From: wanghong, 2014-06-27