← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1401926] [NEW] Role revocation invalidates tokens on all user projects

 

Public bug reported:

Keystone invalidates every token for a user after changing its roles within one project.
This was reported by Horizon team, here are related bugs:
- https://bugs.launchpad.net/mos/+bug/1393732
- https://bugs.launchpad.net/horizon/+bug/1252341

After some debugging I discovered, that it looks like revocation
extension bug:

I added this test case to tests.test_v3_auth.TestTokenRevokeById

http://paste.openstack.org/show/149939/

It assigns role to user on 2 different project, authorizes user on those projects, revokes the role from one of the projects.
Token to the other, "intact" project, seizes to validate.

Further investigation gave me that token is not deleted, but a
revocation event created matching both tokens.

** Affects: keystone
     Importance: Undecided
     Assignee: Alexander Makarov (amakarov)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1401926

Title:
  Role revocation invalidates tokens on all user projects

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  Keystone invalidates every token for a user after changing its roles within one project.
  This was reported by Horizon team, here are related bugs:
  - https://bugs.launchpad.net/mos/+bug/1393732
  - https://bugs.launchpad.net/horizon/+bug/1252341

  After some debugging I discovered, that it looks like revocation
  extension bug:

  I added this test case to tests.test_v3_auth.TestTokenRevokeById

  http://paste.openstack.org/show/149939/

  It assigns role to user on 2 different project, authorizes user on those projects, revokes the role from one of the projects.
  Token to the other, "intact" project, seizes to validate.

  Further investigation gave me that token is not deleted, but a
  revocation event created matching both tokens.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1401926/+subscriptions


Follow ups

References