yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1532280] Fix merged to keystone (master)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1532280@xxxxxxxxxxxxxxxxxx>
Date: Sat, 09 Jul 2016 03:37:04 -0000
Reply-to: Bug 1532280 <1532280@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/339176
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d53db1889e17d493202743246243936af90234b9
Submitter: Jenkins
Branch:    master

commit d53db1889e17d493202743246243936af90234b9
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Thu Jul 7 18:32:11 2016 +0000

    Fix fernet token validate for disabled domains/trusts
    
    This commit adds a check when rebuilding the authorization context of a
    trust-scoped token to make sure that both the trustor and the trustee are in
    enabled domains. With this patch the uuid token provider and the fernet token
    provider give the same response when caching is disabled. If caching is
    enabled, the fernet provider will still consider a trust-scoped token valid
    even though the trustor/trustee is in a disabled domain. A subsequent patch
    will fix the revocation event to make sure the token is removed from the cache
    when a domain is disabled.
    
    Change-Id: If3e941018d5c2c9bd22397e69f83b7bf92643340
    Partial-Bug: 1532280


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1532280

Title:
  Fernet trust token is still valid when trustee's domain is disabled.

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When you have a Fernet trust-scoped token, and the user's domain is
  disabled, the token is still valid. This is inconsistent with the
  behavior of the UUID token provider.

  Part of the fix has already been incorporated into a patch up for
  review [0], it was discovered by jorge_munoz in some of his testing.
  But, since this is an inconsistency between token providers - there
  was a case for breaking it out into it's own bug and it's own fix.

  Steps to reproduce:
  - Enable the Fernet token provider in the keystone.conf file
  - Create domain A
  - Create a user in domain A
  - Create a project in domain A
  - Grant the user in domain A a role on the project in domain A
  - Create domain B
  - Create a user in domain B
  - As the user in domain A, create a trust with the user in domain B on the project in domain A
  - As the user in domain B, get a project-scoped token using the trust
  - As the admin, disable domain B (which is the trustee's domain)
  - As the user in domain B, validate the trust-scoped token

  This validation should return 404 Not Found, but instead it returns
  200 OK. We have a patch in review that exposes the behavior for the
  Fernet provider [1].

  [0] https://review.openstack.org/#/c/253273/27
  [1] https://review.openstack.org/#/c/265455/4

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1532280/+subscriptions

References

[Bug 1532280] [NEW] Fernet trust token is still valid when user's domain is disabled.
From: Lance Bragstad, 2016-01-08