yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #45756
[Bug 1443104] Re: Owners logout from Horizon are not allowed to delete token with v2 API.
Marking as invalid since this should have expired as incomplete long
ago.
** Changed in: keystone
Status: Incomplete => Invalid
** Changed in: keystone
Assignee: hongxiaolong (hongxiaolong-info) => (unassigned)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1443104
Title:
Owners logout from Horizon are not allowed to delete token with v2
API.
Status in OpenStack Identity (keystone):
Invalid
Bug description:
Delete token by owner (Logout from Horizon) as follows:
curl -i -X DELETE
http://0.0.0.0:5000/v2.0/tokens/0c9d279867564955a98767b6493e8f30 -H
"User-Agent: python-keystoneclient" -H "X-Auth-Token:
d13e923d3424485b8edae3496b9905be"
Then get a "403 Forbidden" response caused by policy "admin_required" in assert_admin() in the API named "delete_token".
HTTP/1.1 403 Forbidden
Date: Sun, 12 Apr 2015 13:43:55 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Vary: X-Auth-Token
x-openstack-request-id: req-f5097bcd-764d-4e72-8aee-0382df15bfbc
Content-Length: 186
Content-Type: application/json
{"error": {"message": "You are not authorized to perform the requested
action: identity:delete_token (Disable debug mode to suppress these
details.)", "code": 403, "title": "Forbidden"}}
Also, there will be an error message in horizon logs:
Could not delete token
The problem mainly causes by unreasonable admin role, those member
users logout out from horizon unable to delete their own tokens,
resulting in large numbers of redundancy tokens.
In fact, it should be deleted by admin and owner.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1443104/+subscriptions
References
