yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1671887] [NEW] Revocation API is used in places where where it doesn't need to be

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Fri, 10 Mar 2017 17:19:35 -0000
Reply-to: Bug 1671887 <1671887@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Since keystone now validates UUID and Fernet tokens the same way - by
rebuilding the token context at validation time, we no longer need to
persist certain types of revocation events.

For example, a revocation event is persisted when a role is deleted.
This is no longer needed because the invalidation happens by design of
the token provider.

Opening this bug so that we can track those cases and remove them.

** Affects: keystone
     Importance: Low
     Assignee: Richard (csravelar)
         Status: In Progress

** Changed in: keystone
       Status: New => Confirmed

** Changed in: keystone
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1671887

Title:
  Revocation API is used in places where where it doesn't need to be

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Since keystone now validates UUID and Fernet tokens the same way - by
  rebuilding the token context at validation time, we no longer need to
  persist certain types of revocation events.

  For example, a revocation event is persisted when a role is deleted.
  This is no longer needed because the invalidation happens by design of
  the token provider.

  Opening this bug so that we can track those cases and remove them.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1671887/+subscriptions