yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61964
[Bug 1662514] Re: Removing group role assignments results in overly broad revocation events
Reviewed: https://review.openstack.org/440281
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2cb842cd645cbfcad4ccd62200340ce4616a8aa7
Submitter: Jenkins
Branch: master
commit 2cb842cd645cbfcad4ccd62200340ce4616a8aa7
Author: prashkre <prashkre@xxxxxxxxxx>
Date: Thu Mar 2 04:23:35 2017 -0500
Removing group role assignments results in overly broad revocation events
When a role on a group scoped to project/domain is revoked, it persists
revocation event in revoke_event table which is invalidating all tokens
created with same role in project/domain. Since token validations are happening
by populating role assignments at validation time, the need for persistence of
revocation events is no longer needed.
Change-Id: I112d5d4684f739d320606cea651e0a108f18d245
Closes-Bug: #1662514
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1662514
Title:
Removing group role assignments results in overly broad revocation
events
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
When an unassigned role is revoked on a group, it is revoking tokens
for users with same role in the project.
Here is the scenario to reproduce it.
1. Create 'proj1', then create an admin role assignment for user 'user_admin' and viewer role for group 'grp_viewer' in proj1.
2. Run "openstack role remove admin --group grp_viewer --project proj1" to revoke non-existing admin role on grp_viewer, then all tokens in proj1 for admin role users will be revoked i.e. tokens created with user_admin are revoked.
In token validation flow (in our case user_admin token), it is
validating against revocation_event entries
@https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/models/revoke_model.py#L148
which is returning as revoked token because when a role is revoked in
step2 an entry is created in keystone.revocation_event table as shown
below which matches with all tokens whose role_id is same.
[keystone]> select * from revocation_event;
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
| id | domain_id | project_id | user_id | role_id | trust_id | consumer_id | access_token_id | issued_before | expires_at | revoked_at | audit_id | audit_chain_id |
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
| 42 | NULL | b7f38f1af5304e2bb18737e6725f2f4a | NULL | f669540d3e11483ba1ce1e5de9412af0 | NULL | NULL | NULL | 2017-02-07 08:30:37 | NULL | 2017-02-07 08:30:37 | NULL | NULL |
+----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+
token_data:
{
'access_token_id': None,
'project_id': u 'b7f38f1af5304e2bb18737e6725f2f4a',
'user_id': u '0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9',
'roles': [u 'f669540d3e11483ba1ce1e5de9412af0'],
'audit_id': u 'wiwisOGMR1ONUKw8rgIgOw',
'trustee_id': None,
'trustor_id': None,
'expires_at': datetime.datetime(2017, 2, 7, 14, 19, 57),
'consumer_id': None,
'assignment_domain_id': u 'default',
'issued_at': datetime.datetime(2017, 2, 7, 8, 19, 57),
'identity_domain_id': u 'default',
'audit_chain_id': u 'wiwisOGMR1ONUKw8rgIgOw',
'trust_id': None
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1662514/+subscriptions
References
