v2 token cache not correctly invalidated when using "Belongs To"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Henry Nash |
Bug Description
v2 token deletion and validation methods take an optional "belongs_to" parameter, which is the tenant. Due to how sensitive the dogpile caching is on the parameters to validate_token, this can lead to problems where a token cache is not correctly cleared, for example, the following (pseudo test) will fail:
- create a scoped token for a user to a project
- check the token is valid, just using the token ID (without passing in belongs_
- delete the token using the driver function delete_tokens, passing in user and tenant
- check if token is still valid, just using token ID (it will be return successfully from the cache - which is incorrect)
- check if token is still valid, token ID and tenant ID (it will not be found - which is correct)
The problem is in invalidate_
Thanks to morganfainberg for his help in debugging the above.
Changed in keystone: | |
assignee: | nobody → Henry Nash (henry-nash) |
importance: | Undecided → High |
milestone: | none → havana-rc1 |
description: | updated |
description: | updated |
description: | updated |
Changed in keystone: | |
status: | New → Confirmed |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | havana-rc1 → 2013.2 |
Fix proposed to branch: master /review. openstack. org/46972
Review: https:/