yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1500459] Re: Validating federated fernet token loses user domain info

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Thu, 03 Dec 2015 20:57:42 -0000
Reply-to: Bug 1500459 <1500459@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1500459

Title:
  Validating federated fernet token loses user domain info

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  
  When using UUID tokens, after token validation the user's domain info is filled in. For federated ephemeral users the domain ID and name are both the set to the [federation].federated_domain_name config value.[1].

  When using fernet tokens, the user domain info isn't filled in.

  We've got code in keystone that assumes that all users are going to
  have the domain info filled in, for example TokenModel raises
  UnexpectedError if the user info in the token doesn't have a domain
  name or ID, and doesn't provide a way to check if the user has a
  domain name or ID first.[2] (Why does keystone have multiple ways to
  represent a token??)

  The domain info should be filled in when using fernet tokens so that
  it works like the other providers.

  [1]
  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n589

  [2]
  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/token_model.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n112

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1500459/+subscriptions

References

[Bug 1500459] [NEW] Validating federated fernet token loses user domain info
From: Brant Knudson, 2015-09-28