OpenStack Identity (keystone)

All user tokens are considered revoked on it's group role revocation

Bug #1402760 reported by Alexander Makarov on 2014-12-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Alexander Makarov	OpenStack Identity (keystone) 8.0.0 "liberty"
	Kilo	Fix Released	Undecided	Unassigned	OpenStack Identity (keystone) 2015.1.3

Bug Description

The case for the bug:
- User authenticates and receives a token scoped to the project1
- User authenticates and receives a token scoped to the project2
- User joins the group
- Group is granted a role to the project1
- Group role grant to the project1 is revoked

Result:
All user tokens are considered revoked.

Analysis:
Revoke model lacks correct token by group revocation - it is done through revocation by user, what results in described effect.

Tags:

OpenStack Infra (hudson-openstack) on 2014-12-15

Changed in keystone:
assignee:	nobody → Haneef Ali (haneef)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-15: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/141854

Changed in keystone:
assignee:	Haneef Ali (haneef) → Alexander Makarov (amakarov)

Revision history for this message

Alexander Makarov (amakarov) wrote on 2014-12-15:

Notifiers in unit-tests use RabbitMQ as a transport

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-18: Change abandoned on keystone (master)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/140790
Reason: this looks to have been addressed in master by https://github.com/openstack/keystone/commit/367fcd70368e96db6ffaee58352fbd3b0e1105cb

Dolph Mathews (dolph) on 2015-03-18

Changed in keystone:
importance:	Undecided → Medium
milestone:	none → kilo-rc1

Morgan Fainberg (mdrnstm) on 2015-03-25

tags:	added: kilo-rc-potential
Changed in keystone:
milestone:	kilo-rc1 → none

OpenStack Infra (hudson-openstack) on 2015-03-31

Changed in keystone:
assignee:	Alexander Makarov (amakarov) → Adam Young (ayoung)

OpenStack Infra (hudson-openstack) on 2015-04-03

Changed in keystone:
assignee:	Adam Young (ayoung) → Alexander Makarov (amakarov)

Morgan Fainberg (mdrnstm) on 2015-04-04

Changed in keystone:
milestone:	none → kilo-rc1

Morgan Fainberg (mdrnstm) on 2015-04-06

Changed in keystone:
milestone:	kilo-rc1 → liberty-1

Morgan Fainberg (mdrnstm) on 2015-04-07

tags:

removed: kilo-rc-potential

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
milestone:	liberty-1 → liberty-2

Alexander Makarov (amakarov) on 2015-07-07

Changed in keystone:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-07-29

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-24: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/216354

Davanum Srinivas (DIMS) (dims-v) on 2015-08-26

tags:

added: kilo-backport-potential

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-2 → 8.0.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-21: Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/216354
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=369d08d1c6f1c30abb09440b3ed06e7e5266b1ec
Submitter: Jenkins
Branch: stable/kilo

commit 369d08d1c6f1c30abb09440b3ed06e7e5266b1ec
Author: Alexander Makarov <email address hidden>
Date: Mon Dec 15 20:25:01 2014 +0300

Group role revocation invalidates all user tokens

Keystone invalidates every token for a user after revoking one group role
within one project.

This patch replaces 'invalidate user's everything' logic with revocation by
grant via notifications for delete_grant assignment operation.

    Closes-Bug: #1402760
    Closes-Bug: #1401926
    (cherry picked from commit 2cf743d6de3afcb1a0aa3d4c219b3c4bcea29008)

    There was one conflict fixed by hand in core.py. The test case had to be
    adjusted as driver='kvs' and driver='uuid' (test_v3_auth.py)
    will not work in the stable/kilo release.

# Conflicts:
#>------keystone/assignment/core.py

Change-Id: If9d0fefe43da96ba5e6b6ffc809b9f15e8d732f7

tags:

added: in-stable-kilo

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.