yahoo-eng-team team mailing list archive

[OpenStack Infra <1513893@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/242564
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=57999b564df2a663b24ae91c80d3bfd4a3b914d1
Submitter: Jenkins
Branch:    master

commit 57999b564df2a663b24ae91c80d3bfd4a3b914d1
Author: Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>
Date:   Fri Nov 6 16:57:11 2015 +0000

    Show defect in list_user_ids that only lists direct user assignments
    
    The assignment manager method list_user_ids_for_projects fails to
    honor either group or inherited assignments. Since this is used
    to generate token invalidations, we could be leaving tokens out there
    which should be killed.
    
    Change-Id: I96b2a1f10e3a5013f1151b6c38ddc75282b69c6f
    Partial-Bug: #1513893


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1513893

Title:
  Token invalidation on project delete doesn't take into inheritance
  into account

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When we delete a project, we invalidate all the project tokens for any
  user who has a role on that project. The underlying assignment manager
  method used for this is list_user_ids_for_project().  This uses a
  driver method that just looks are direct assignments - and ignores any
  inherited or group role assignments any user may have on this project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1513893/+subscriptions