Revocation events don't handle scoped tokens correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Brant Knudson | ||
Icehouse |
Fix Released
|
High
|
Brant Knudson |
Bug Description
Revoking a scoped token isn't handled correctly. If a scoped token is gotten from an unscoped token and the unscoped token is revoked, the scoped token should remain valid. Horizon uses this pattern.
We've got a test for this in tempest, but because of another bug related to revocation events and MySQL (https:/
When running with DB2 10.5, sqlalchemy-migrate 0.9.1 and sqlalchemy 0.8.4 on RHEL 6.5, seeing failures with the tempest.
Traceback (most recent call last):\n File "/tmp/tempest/
Changed in keystone: | |
assignee: | nobody → Brant Knudson (blk-u) |
summary: |
- tempest.api.identity.admin.v3.test_tokens.TokensV3TestJSON.test_rescope_token - race fails with DB2 + Revocation events don't handle scoped tokens correctly |
tags: | removed: db2 |
information type: | Public Security → Public |
no longer affects: | ossa |
tags: | removed: in-stable-icehouse |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-3 → 2014.2 |
The revocation code is incorrect. It revokes all tokens with the same expiration date and user and doesn't take the scope into account.