OpenStack Identity (keystone)

v3 grant/revoke roles to not invalidate existing tokens

Bug #1093493 reported by Henry Nash on 2012-12-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Critical	Henry Nash	OpenStack Identity (keystone) 2013.1 "grizzly"

Bug Description

The new v3 code for granting/revoking tokens (including the new group roles) do not currently call the token controller to invalidate any existing tokens

OpenStack Infra (hudson-openstack) on 2012-12-27

Changed in keystone:
assignee:	nobody → Henry Nash (henry-nash)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-01-08: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/18097
Committed: http://github.com/openstack/keystone/commit/4fae928c59beaa558306a5aa3a3aa5c6f4945b70
Submitter: Jenkins
Branch: master

commit 4fae928c59beaa558306a5aa3a3aa5c6f4945b70
Author: Henry Nash <email address hidden>
Date: Thu Dec 13 16:48:13 2012 +0000

Keystone server support for user groups

    This implements the server side of groups of users. This
    set of code provides all the crud functionality for groups as
    well as the corresponding support for role assignments.

blueprint user-groups

The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:

    1) There is only placeholder support for LDAP (Bug #1092187)
    2) Domain role grants are accepted but not yet honored (Bug #1093248)
    3) Token invalidation does not occur with group changes (Bug #1093493)

    This update also fills in missing v3 grant unit testing and v3 grant
    support within the kvs backend. In addition, there is a fix for
    Bug #1092200 (uncaught exception when listing grants)

DocImpact

Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695

Changed in keystone:
status:	In Progress → Fix Committed

Henry Nash (henry-nash) on 2013-01-08

Changed in keystone:
status:	Fix Committed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-03-11: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/24078

Dolph Mathews (dolph) on 2013-03-11

Changed in keystone:
milestone:	none → grizzly-rc1

Dolph Mathews (dolph) on 2013-03-12

Changed in keystone:
importance:	Undecided → Critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-03-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/24078
Committed: http://github.com/openstack/keystone/commit/f5edbaeb2d963471c2b50ab8f7083f77e588bce0
Submitter: Jenkins
Branch: master

commit f5edbaeb2d963471c2b50ab8f7083f77e588bce0
Author: Henry Nash <email address hidden>
Date: Mon Mar 11 15:37:32 2013 +0000

Ensure tokens are revoked for relevant v3 api calls

A number of the v3 apis were not yet revoking tokens that would
be invalidated by their actions, including:

    - grant/revoke role
    - delete group
    - add/remove user to group

A seperate bug has been rasied with regard to revoking tokens when
a role is deleted, since this needs much more plumbing to implement.

Fixes Bug #1093493

Change-Id: Icf0792821829045d5bdecf686ec470ce54f9c9af

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-03-21

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in keystone:
milestone:	grizzly-rc1 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.