OpenStack Identity (keystone)

Fernet tokens do not support domain scopes

Bug #1428949 reported by Dolph Mathews on 2015-03-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Morgan Fainberg	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

Attempting to get a domain-scoped token with the Fernet token provider returns a token - everything appears to have worked. When validating that token though, it appears to be unpacked as a project-scoped token, which ultimately fails.

The short of it is that domain-scope support doesn't really exist yet, and the current behavior will only work if the hierarchical multitenancy effort successfully migrates domains to be projects.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/162031

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06:

Fix proposed to branch: master
Review: https://review.openstack.org/162196

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06: Change abandoned on keystone (master)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/162196
Reason: landing discrete changes instead

OpenStack Infra (hudson-openstack) on 2015-03-09

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Lance Bragstad (lbragstad)

OpenStack Infra (hudson-openstack) on 2015-03-10

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Dolph Mathews (dolph)

OpenStack Infra (hudson-openstack) on 2015-03-10

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Jorge Munoz (jorge-munoz)

OpenStack Infra (hudson-openstack) on 2015-03-11

Changed in keystone:
assignee:	Jorge Munoz (jorge-munoz) → Dolph Mathews (dolph)

OpenStack Infra (hudson-openstack) on 2015-03-12

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Morgan Fainberg (mdrnstm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/162031
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a9fa7e315dbc8e881f4d5c793d75cb24e1fc2499
Submitter: Jenkins
Branch: master

commit a9fa7e315dbc8e881f4d5c793d75cb24e1fc2499
Author: Dolph Mathews <email address hidden>
Date: Thu Mar 5 22:01:53 2015 +0000

Drop Fernet token prefixes & add domain-scoped Fernet tokens

    - Move the payload version (part of the plaintext token prefix) into the
      integrity verified portion of the token (the payload). This also drops
      the 'F', which doesn't serve a purpose with Fernet tokens as it does
      with token formats that can be validated offline (PKI, PKIZ). This
      requires a bunch of refactoring to move the responsibility of
      decrypting, unpacking, and disassembling the payload contents to the
      caller (the Provider).

    - Add a domain-scoped payload format, identical to that for
      project-scoped tokens, just with a different version number. Better
      functional tests revealed that tests intended to exercise
      domain-scoped Fernet tokens, which didn't exist, should not have been
      passing.

    - Remove remaining functional tests from the unit test suite
      (test_fernet_provider), and ensure that same coverage exists in the
      actual functional test suite (test_v3_auth). Several of the unit tests
      required heavy refactoring due to the refactoring required to support
      the first item above, so it was easier just to dump those tests in
      favor of better functional test coverage, which are agnostic to the
      implementation details.

    Change-Id: I141f2707a391d46d9607710b30155b76de2f88f0
    Closes-Bug: 1427485
    Closes-Bug: 1428949

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.