yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1524849] Re: Cannot use trusts with fernet tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1524849@xxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Dec 2015 06:01:01 -0000
Reply-to: Bug 1524849 <1524849@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/257478
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c885eeed341fd2ebca8d7c0bec0c51b00df2f28e
Submitter: Jenkins
Branch:    master

commit c885eeed341fd2ebca8d7c0bec0c51b00df2f28e
Author: Boris Bobrov <bbobrov@xxxxxxxxxxxx>
Date:   Mon Dec 14 19:42:43 2015 +0300

    Verify that user is trustee only on issuing token
    
    get_token_data is used to gather various data for token. One of the
    checks it does is verifying that the authenticated user is a trustee.
    Before Fernet, it was used during token issuing.
    
    Impersonation in trusts substitutes information about user in token,
    so instead of trustee, trustor is stored in token.
    
    With Fernet tokens, get_token_data is used during token validation.
    In case of impersonation, user_id, stored in Fernet token, is id of
    the trustor, but the check described needs this id to be id of the
    trustee.
    
    Move the check to happen only on token issuing.
    
    Change-Id: I7c02cc6a1dbfe4e28d390960ac85d4574759b1a8
    Closes-Bug: 1524849


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1524849

Title:
  Cannot use trusts with fernet tokens

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Master, devstack (installed today). 
  1. Enable fernet tokens in Keystone
  2. Add the following lib to glance/common/ folder:
  http://paste.openstack.org/show/481480/
  3. Replace upload method in glance/api/v2/image_data.py with the following:
  http://paste.openstack.org/show/481489/
  NOTE: it is just example of the code to demonstrate that fernet tokens can't work well with trusts.
  4. Restart glance
  5. Try to upload any image.
  You will get the following error when deleting the trust: http://paste.openstack.org/show/481493/
  When you try to upload big image that requires more than hour (or reduce token expiration)
  you will get the following: http://paste.openstack.org/show/481492/
  Apparently, refreshed token rejected by keystone-middleware.

  I faced with the issue when implementing trusts for Glance but it seems that Heat and other services have the same troubles.
  UUID tokens works as expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1524849/+subscriptions

References

[Bug 1524849] [NEW] Cannot use trusts with fernet tokens
From: Kairat Kushaev, 2015-12-10