← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1443104] Re: Owners logout from Horizon are not allowed to delete token with v2 API.

 

Marking as invalid since this should have expired as incomplete long
ago.

** Changed in: keystone
       Status: Incomplete => Invalid

** Changed in: keystone
     Assignee: hongxiaolong (hongxiaolong-info) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1443104

Title:
  Owners logout from Horizon are not allowed to delete token with v2
  API.

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Delete token by owner (Logout from Horizon) as follows:

  curl -i -X DELETE
  http://0.0.0.0:5000/v2.0/tokens/0c9d279867564955a98767b6493e8f30 -H
  "User-Agent: python-keystoneclient" -H "X-Auth-Token:
  d13e923d3424485b8edae3496b9905be"

  Then get a "403 Forbidden" response caused by policy "admin_required" in assert_admin() in the API named "delete_token".
   
  HTTP/1.1 403 Forbidden
  Date: Sun, 12 Apr 2015 13:43:55 GMT
  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
  Vary: X-Auth-Token
  x-openstack-request-id: req-f5097bcd-764d-4e72-8aee-0382df15bfbc
  Content-Length: 186
  Content-Type: application/json

  {"error": {"message": "You are not authorized to perform the requested
  action: identity:delete_token (Disable debug mode to suppress these
  details.)", "code": 403, "title": "Forbidden"}}

  Also, there will be an error message in horizon logs:

  Could not delete token

  The problem mainly causes by unreasonable admin role, those member
  users logout out from horizon unable to delete their own tokens,
  resulting in large numbers of redundancy tokens.

  In fact, it should be deleted by admin and owner.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1443104/+subscriptions


References