yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1523664] Re: Token operations fail when fernet key repository isn't writeable

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1523664@xxxxxxxxxxxxxxxxxx>
Date: Thu, 26 May 2016 20:59:48 -0000
Reply-to: Bug 1523664 <1523664@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/liberty
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1523664

Title:
  Token operations fail when fernet key repository isn't writeable

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) liberty series:
  Fix Released

Bug description:
  When using fernet tokens, I'm unable to get a token if the
  key_repository isn't writeable [0]. The main keystone process is only
  required to read keys from the key repository. The keystone-manage
  process must have write access to the key repository in order to
  bootstrap keys.

  Keystone doesn't rely on write access in order to create tokens. The
  check for keystone shouldn't be dependent on it having write access,
  since it doesn't need it [1].

  The write permissions should be kept when called from keystone-manage,
  but not when called from keystone.

  mfisch and clayton from Time Warner Cable brought this to my attention
  and I was able to recreate.

  [0] http://cdn.pasteraw.com/nng0up76dgy5b3naw0hw4bdabdkin84
  [1] https://github.com/openstack/keystone/blob/56d3d76304a88baa3ff90e94e6bbd6d8d28e7dcf/keystone/token/providers/fernet/utils.py#L34-L36

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1523664/+subscriptions

References

[Bug 1523664] [NEW] Token operations fail when fernet key repository isn't writeable
From: Lance Bragstad, 2015-12-07