yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1500459] [NEW] Validating federated fernet token loses user domain info

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brant Knudson <bknudson@xxxxxxxxxx>
Date: Mon, 28 Sep 2015 14:28:29 -0000
Reply-to: Bug 1500459 <1500459@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:


When using UUID tokens, after token validation the user's domain info is filled in. For federated ephemeral users the domain ID and name are both the set to the [federation].federated_domain_name config value.[1].

When using fernet tokens, the user domain info isn't filled in.

We've got code in keystone that assumes that all users are going to have
the domain info filled in, for example TokenModel raises UnexpectedError
if the user info in the token doesn't have a domain name or ID, and
doesn't provide a way to check if the user has a domain name or ID
first.[2] (Why does keystone have multiple ways to represent a token??)

The domain info should be filled in when using fernet tokens so that it
works like the other providers.

[1]
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n589

[2]
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/token_model.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n112

** Affects: keystone
     Importance: Undecided
     Assignee: Brant Knudson (blk-u)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1500459

Title:
  Validating federated fernet token loses user domain info

Status in Keystone:
  In Progress

Bug description:
  
  When using UUID tokens, after token validation the user's domain info is filled in. For federated ephemeral users the domain ID and name are both the set to the [federation].federated_domain_name config value.[1].

  When using fernet tokens, the user domain info isn't filled in.

  We've got code in keystone that assumes that all users are going to
  have the domain info filled in, for example TokenModel raises
  UnexpectedError if the user info in the token doesn't have a domain
  name or ID, and doesn't provide a way to check if the user has a
  domain name or ID first.[2] (Why does keystone have multiple ways to
  represent a token??)

  The domain info should be filled in when using fernet tokens so that
  it works like the other providers.

  [1]
  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n589

  [2]
  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/token_model.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n112

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1500459/+subscriptions

Follow ups

[Bug 1500459] Re: Validating federated fernet token loses user domain info
From: Doug Hellmann, 2015-12-04