OpenStack Identity (keystone)

V3 Revoke token API is doing V2 style admin check

Bug #1186061 reported by Arvind Tiwari on 2013-05-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Guang Yee	OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

V3 Revoke token API is doing V2 style admin check even if the caller is authorized based on auth policy. The APi call is landing at "keystone.token.controllers.delete_token" method which try to do assert_admin(context) which will fail if the call is not an V2 type admin.

API: DELETE http://localhost:35358/v3/auth/tokens

Below is the block of code from keystone.token.controllers.delete_token which does assert_admin checks

def delete_token(self, context, token_id):
      """Delete a token, effectively invalidating it for authz."""
      # TODO(termie): this stuff should probably be moved to middleware
      self.assert_admin(context)
      self.token_api.delete_token(context=context, token_id=token_id)

See original description

Arvind Tiwari (arvind-tiwari) on 2013-05-31

Changed in keystone:
assignee:	nobody → Arvind Tiwari (arvind-tiwari)

Arvind Tiwari (arvind-tiwari) on 2013-05-31

description:

updated

Dolph Mathews (dolph) on 2013-05-31

Changed in keystone:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Guang Yee (guang-yee) wrote on 2013-05-31:

The problem was, for delete token, v3 aut controller is calling back to the v2 token controller. This problem is addressed in the new pluggable token management impl.

https://review.openstack.org/#/c/29021/

OpenStack Infra (hudson-openstack) on 2013-06-05

Changed in keystone:
assignee:	Arvind Tiwari (arvind-tiwari) → Guang Yee (guang-yee)
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2013-06-05

Changed in keystone:
assignee:	Guang Yee (guang-yee) → Adam Young (ayoung)

OpenStack Infra (hudson-openstack) on 2013-06-06

Changed in keystone:
assignee:	Adam Young (ayoung) → Guang Yee (guang-yee)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-06-20: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/33858

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-07-15: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/33858
Committed: http://github.com/openstack/keystone/commit/c238ace30981877e5991874c5b193ea7d5107419
Submitter: Jenkins
Branch: master

commit c238ace30981877e5991874c5b193ea7d5107419
Author: Guang Yee <email address hidden>
Date: Thu Jun 20 10:06:17 2013 -0700

Implements Pluggable V3 Token Provider

    Abstract V3 token provider backend to make token provider pluggable. It enables
    deployers to customize token management to add their own capabilities.
    Token provider is responsible for issuing, checking, validating, and
    revoking tokens. Note the distinction between token 'driver' and 'provider'.
    Token 'driver' simply provides token persistence. It does not issue or
    interpret tokens.

Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.

Partially implemented blueprint pluggable-token-format.

This patch also fixes bug 1186061.

Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-07-17

Changed in keystone:
milestone:	none → havana-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in keystone:
milestone:	havana-2 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.