yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan.fainberg@xxxxxxxxx>]

Marking this as wont fix. This really is not something we can address in
a meaningful way at this time. It expands through a huge set of issues
across all of openstack and is not in line with the direction of the
project now.

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1680911

Title:
  Revoking an unscoped token does not revoke all tokens scoped from the
  unscoped token

Status in OpenStack Identity (keystone):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  If you create an unscoped token (A) and you then use token A to
  create a project-scoped token (B) you now have
  token (A) [audit_id] = audit_id_a
  token (A) [audit_chain_id] = [audit_id_a]

  token (B) [audit_id] = audit_id_b
  token (B) [audit_chain_id] = [audit_id_a, audit_id_b]

  If you Revoke(token A) then token B should also be invalid.
  However, this is not the case currently as there are two reasons
  for this.
  There is a bug that doesn't correctly catch this in revoke_models
  because it accidently changes a list to a list in a tuple:
  https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201
  This needs to have the comma removed from
  not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id'])

  The second and main reason is because this functionality is never exposed to the user
  and in the code it is never run here:
  https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277
  because revoke_chain=False in the parameter is never set to True in a call anywhere in
  the code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1680911/+subscriptions