OpenStack Identity (keystone)

Deleting a role should revoke any tokens associated with it

Bug #1153645 reported by Henry Nash
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Henry Nash
OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

When we delete a role, we delete all the grants associated with it. Since this is a bit like an enforced revoking of user/groups grants, we should invalidate any tokens:

- for users that have had any grant using this role
- for users of any group that has had a grant using this role

Dolph Mathews (dolph)
Changed in keystone:
status: New → Confirmed
Revision history for this message
Lawrance (jing) wrote :

mark

Revision history for this message
Dolph Mathews (dolph) wrote :

Is this still and issue?

Revision history for this message
Henry Nash (henry-nash) wrote :

Yes, the problem still exists - and is that delete_role is expanded out into the various removal of role assignments from the nest of metadata tables at the driver level, while our token deletion for a user is at the controller level...so need to refactor the code.

Dolph Mathews (dolph)
Changed in keystone:
milestone: none → havana-rc1
Henry Nash (henry-nash)
Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/46613

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/46613
Committed: http://github.com/openstack/keystone/commit/c80282c3bee1ed1ee2ac5f1a4a9e5b1f56d4e6d2
Submitter: Jenkins
Branch: master

commit c80282c3bee1ed1ee2ac5f1a4a9e5b1f56d4e6d2
Author: Henry Nash <email address hidden>
Date: Tue Sep 17 16:32:35 2013 +0100

    Ensure any relevant tokens are revoked when a role is deleted

    Add a controller class method to delete tokens for a role, along the
    lines of those that exist for deleting tokens for user and project. Ensure
    this is called for both the V2 and V3 delete_role APIs.

    Fixes bug 1153645

    Change-Id: I3c8d70eeb387a18c30df489142ea3aefc2224ae3

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.