yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #44301
[Bug 1532280] [NEW] Fernet trust token is still valid when user's domain is disabled.
Public bug reported:
When you have a Fernet trust-scoped token, and the user's domain is
disabled, the token is still valid. This is inconsistent with the
behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review
[0], it was discovered by jorge_munoz in some of his testing. But, since
this is an inconsistency between token providers - there was a case for
breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Modify the keystone config to issue Fernet tokens
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a
proper token validation is returned.
[0] https://review.openstack.org/#/c/253273/27
** Affects: keystone
Importance: Undecided
Status: New
** Tags: fernet
** Tags added: fernet
** Description changed:
When you have a Fernet trust-scoped token, and the user's domain is
disabled, the token is still valid. This is inconsistent with the
behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review
[0]. But, since this is an inconsistency - there was a case for breaking
it out into it's own bug and it's own fix.
Steps to reproduce
+ - Modify the keystone config to issue Fernet tokens
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a
proper token validation is returned.
-
[0] https://review.openstack.org/#/c/253273/27
** Description changed:
When you have a Fernet trust-scoped token, and the user's domain is
disabled, the token is still valid. This is inconsistent with the
behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review
- [0]. But, since this is an inconsistency - there was a case for breaking
- it out into it's own bug and it's own fix.
+ [0], it was discovered by jorge_munoz in some of his testing. But, since
+ this is an inconsistency between token providers - there was a case for
+ breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Modify the keystone config to issue Fernet tokens
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a
proper token validation is returned.
[0] https://review.openstack.org/#/c/253273/27
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1532280
Title:
Fernet trust token is still valid when user's domain is disabled.
Status in OpenStack Identity (keystone):
New
Bug description:
When you have a Fernet trust-scoped token, and the user's domain is
disabled, the token is still valid. This is inconsistent with the
behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for
review [0], it was discovered by jorge_munoz in some of his testing.
But, since this is an inconsistency between token providers - there
was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Modify the keystone config to issue Fernet tokens
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a
proper token validation is returned.
[0] https://review.openstack.org/#/c/253273/27
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1532280/+subscriptions
Follow ups
