yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61293
[Bug 1662514] [NEW] Revoking a non-existing role revokes token for users of same role
Public bug reported:
When an unassigned role is revoked on a group, it is revoking tokens for
users with same role in the project.
Here is the scenario to reproduce it.
1. Create 'proj1', then create an admin role assignment for user 'user_admin' and viewer role for group 'grp_viewer' in proj1.
2. Run "openstack role remove admin --group grp_viewer --project proj1" to revoke non-existing admin role on grp_viewer, then all tokens in proj1 for admin role users will be revoked i.e. tokens created with user_admin are revoked.
In token validation flow (in our case user_admin token), it is
validating against revocation_event entries
@https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L148
which is returning as revoked token because when role is revoked in
step2 an entry is created in keystone.revocation_event table as shown
below.
[keystone]> select * from revocation_event;
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
| id | domain_id | project_id | user_id | role_id | trust_id | consumer_id | access_token_id | issued_before | expires_at | revoked_at | audit_id | audit_chain_id |
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
| 42 | NULL | b7f38f1af5304e2bb18737e6725f2f4a | NULL | f669540d3e11483ba1ce1e5de9412af0 | NULL | NULL | NULL | 2017-02-07 08:30:37 | NULL | 2017-02-07 08:30:37 | NULL | NULL |
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
token_data:
{
'access_token_id': None,
'project_id': u 'b7f38f1af5304e2bb18737e6725f2f4a',
'user_id': u '0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9',
'roles': [u 'f669540d3e11483ba1ce1e5de9412af0'],
'audit_id': u 'wiwisOGMR1ONUKw8rgIgOw',
'trustee_id': None,
'trustor_id': None,
'expires_at': datetime.datetime(2017, 2, 7, 14, 19, 57),
'consumer_id': None,
'assignment_domain_id': u 'default',
'issued_at': datetime.datetime(2017, 2, 7, 8, 19, 57),
'identity_domain_id': u 'default',
'audit_chain_id': u 'wiwisOGMR1ONUKw8rgIgOw',
'trust_id': None
}
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1662514
Title:
Revoking a non-existing role revokes token for users of same role
Status in OpenStack Identity (keystone):
New
Bug description:
When an unassigned role is revoked on a group, it is revoking tokens
for users with same role in the project.
Here is the scenario to reproduce it.
1. Create 'proj1', then create an admin role assignment for user 'user_admin' and viewer role for group 'grp_viewer' in proj1.
2. Run "openstack role remove admin --group grp_viewer --project proj1" to revoke non-existing admin role on grp_viewer, then all tokens in proj1 for admin role users will be revoked i.e. tokens created with user_admin are revoked.
In token validation flow (in our case user_admin token), it is
validating against revocation_event entries
@https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L148
which is returning as revoked token because when role is revoked in
step2 an entry is created in keystone.revocation_event table as shown
below.
[keystone]> select * from revocation_event;
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
| id | domain_id | project_id | user_id | role_id | trust_id | consumer_id | access_token_id | issued_before | expires_at | revoked_at | audit_id | audit_chain_id |
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
| 42 | NULL | b7f38f1af5304e2bb18737e6725f2f4a | NULL | f669540d3e11483ba1ce1e5de9412af0 | NULL | NULL | NULL | 2017-02-07 08:30:37 | NULL | 2017-02-07 08:30:37 | NULL | NULL |
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
token_data:
{
'access_token_id': None,
'project_id': u 'b7f38f1af5304e2bb18737e6725f2f4a',
'user_id': u '0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9',
'roles': [u 'f669540d3e11483ba1ce1e5de9412af0'],
'audit_id': u 'wiwisOGMR1ONUKw8rgIgOw',
'trustee_id': None,
'trustor_id': None,
'expires_at': datetime.datetime(2017, 2, 7, 14, 19, 57),
'consumer_id': None,
'assignment_domain_id': u 'default',
'issued_at': datetime.datetime(2017, 2, 7, 8, 19, 57),
'identity_domain_id': u 'default',
'audit_chain_id': u 'wiwisOGMR1ONUKw8rgIgOw',
'trust_id': None
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1662514/+subscriptions
Follow ups
