yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1513893] [NEW] Token invalidation on project delete doesn't take into inheritance into account

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Nov 2015 16:18:33 -0000
Reply-to: Bug 1513893 <1513893@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When we delete a project, we invalidate all the project tokens for any
user who has a role on that project. The underlying assignment manager
method used for this is list_user_ids_for_project().  This uses a driver
method that just looks are direct assignments - and ignores any
inherited or group role assignments any user may have on this project.

** Affects: keystone
     Importance: Undecided
     Assignee: Henry Nash (henry-nash)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Henry Nash (henry-nash)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1513893

Title:
  Token invalidation on project delete doesn't take into inheritance
  into account

Status in OpenStack Identity (keystone):
  New

Bug description:
  When we delete a project, we invalidate all the project tokens for any
  user who has a role on that project. The underlying assignment manager
  method used for this is list_user_ids_for_project().  This uses a
  driver method that just looks are direct assignments - and ignores any
  inherited or group role assignments any user may have on this project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1513893/+subscriptions

Follow ups

[Bug 1513893] Fix merged to keystone (master)
From: OpenStack Infra, 2015-12-18