← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #96223

[Bug 2119031] [NEW] Expiring group membership does not immediately provide group assignments

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In #1809116, expiring group membership has been implemented. Identity
providers also have a `ttl` field, that can be used to control how long
a user should be considered a member of a group.

However, when a user's group membership changes in the IdP, and the user
reauthenticates to keystone with the changed membership in groups, their
role assignments do not reflect the change for the duration of role
assignment cache region lifetime.

Steps to reproduce:
0. Configure keystone with cache, enable cache everywhere
1. Configure federation, set up an identity provider with ttl for group membership, create a mapping that will assign the user to groups in Keystone
2. Create groups, projects, make some role assignments on these groups and projects
2. Without adding a user to any groups, authenticate, note their id
3. Do `openstack role assignment list --user <id> --effective`
4. Add the user to groups in the IdP
5. Authenticate the user again
6. Do `openstack role assignment list --user <id> --effective`
6.1. Or try to create an application credential with that user

Expected: the application credential gets created, the user is visible
in `role assignment list`

Observed: the application credential fails to get created, the user is
not visible in `role assignment list`; after waiting for
[cache]expiration_time, the application credential gets created, the
user is visible in `role assignment list`.

** Affects: keystone
     Importance: Undecided
         Status: New

** Description changed:

  In #1809116, expiring group membership has been implemented. Identity
  providers also have a `ttl` field, that can be used to control how long
  a user should be considered a member of a group.
  
  However, when a user's group membership changes in the IdP, and the user
  reauthenticates to keystone with the changed membership in groups, their
  role assignments do not reflect the change for the duration of role
  assignment cache region lifetime.
  
  Steps to reproduce:
  0. Configure keystone with cache, enable cache everywhere
  1. Configure federation, set up an identity provider with ttl for group membership, create a mapping that will assign the user to groups in Keystone
  2. Create groups, projects, make some role assignments on these groups and projects
  2. Without adding a user to any groups, authenticate, note their id
  3. Do `openstack role assignment list --user <id> --effective`
  4. Add the user to groups in the IdP
  5. Authenticate the user again
  6. Do `openstack role assignment list --user <id> --effective`
  6.1. Or try to create an application credential with that user
  
- Expected: the application credential gets created, the user is visible in `role assignment list`
- Observed: the application credential fails to get created, the user is not visible in `role assignment list`; after waiting for [cache]expiration_time, the application credential gets created, the user is visible in `role assignment list`.
+ Expected: the application credential gets created, the user is visible
+ in `role assignment list`
+ 
+ Observed: the application credential fails to get created, the user is
+ not visible in `role assignment list`; after waiting for
+ [cache]expiration_time, the application credential gets created, the
+ user is visible in `role assignment list`.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2119031

Title:
  Expiring group membership does not immediately provide group
  assignments

Status in OpenStack Identity (keystone):
  New

Bug description:
  In #1809116, expiring group membership has been implemented. Identity
  providers also have a `ttl` field, that can be used to control how
  long a user should be considered a member of a group.

  However, when a user's group membership changes in the IdP, and the
  user reauthenticates to keystone with the changed membership in
  groups, their role assignments do not reflect the change for the
  duration of role assignment cache region lifetime.

  Steps to reproduce:
  0. Configure keystone with cache, enable cache everywhere
  1. Configure federation, set up an identity provider with ttl for group membership, create a mapping that will assign the user to groups in Keystone
  2. Create groups, projects, make some role assignments on these groups and projects
  2. Without adding a user to any groups, authenticate, note their id
  3. Do `openstack role assignment list --user <id> --effective`
  4. Add the user to groups in the IdP
  5. Authenticate the user again
  6. Do `openstack role assignment list --user <id> --effective`
  6.1. Or try to create an application credential with that user

  Expected: the application credential gets created, the user is visible
  in `role assignment list`

  Observed: the application credential fails to get created, the user is
  not visible in `role assignment list`; after waiting for
  [cache]expiration_time, the application credential gets created, the
  user is visible in `role assignment list`.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2119031/+subscriptions
  Thread PreviousDate PreviousThread Next