OpenStack Identity (keystone)

v2 tokens validated on the v3 API are missing timezones

Bug #1476329 reported by Dolph Mathews on 2015-07-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	werner mendizabal	OpenStack Identity (keystone) mitaka-rc1 "RC1"

Bug Description

v3 tokens contain the issued_at and expires_at timestamps for each token. If a token is created on the v2 API and then validated on the v3 API, this timezone information is missing (the 'Z' at the end of the timestamp), and thus cannot be validated as ISO 8601 extended format timestamps.

This patch contains two FIXMEs which, if uncommented, will reproduce this bug:

https://review.openstack.org/#/c/203250/

This appears to affect all token formats.

See original description

Dolph Mathews (dolph) on 2015-07-20

description:	updated
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-03: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/203250
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=425a17b50a1a2e882d82d4aa95835e280bbb8c6c
Submitter: Jenkins
Branch: master

commit 425a17b50a1a2e882d82d4aa95835e280bbb8c6c
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 17 21:20:31 2015 +0000

Refactor: clean up TokenAPITests

    Because many of these tests are intermixing v2 and v3 tokens between the
    v2 and v3 APIs, I found these tests to be particularly difficult to grok
    without coffee, so I coffee'd up and clarified them.

    - Chose more explicit variable names. This helps communicate the
      difference between "token_data" (which is changed to "v3_token_data")
      and "v2_token_data", for example.

- Removed unnecessary variables.

    - Added extra assertions against v3 token response bodies, two of which
      fail due to bug 1476329. In short, it's because v2 tokens validated on
      the v3 API are missing the Zulu timezone suffix ('Z').

- Fixed grammatical issues in comments.

Change-Id: I780776d761b295c96516266d2154bf50260278fd
Related-Bug: 1476329

Deliang Fan (vanderliang) on 2016-01-05

Changed in keystone:
status:	Triaged → Fix Committed
status:	Fix Committed → Fix Released

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-01-05:

@vanderling, looks like the patch that merged didn't solve the issue. Just highlighted it in a test. Moving this bugs state back to confirmed

Changed in keystone:
status:	Fix Released → Confirmed

Akanksha Agrawal (akanksha-aha) on 2016-03-07

Changed in keystone:
assignee:	nobody → Akanksha Agrawal (akanksha-aha)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-08: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/290139

Changed in keystone:
assignee:	Akanksha Agrawal (akanksha-aha) → werner mendizabal (nonameentername)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-09: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/290139
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=dced6805a2628742e63516f4730e191e595ad10b
Submitter: Jenkins
Branch: master

commit dced6805a2628742e63516f4730e191e595ad10b
Author: werner mendizabal <email address hidden>
Date: Tue Mar 8 15:20:05 2016 -0600

v2 tokens validated on the v3 API are missing timezones

    v3 tokens contain the issued_at and expires_at timestamps for each
    token. If a token is created on the v2 API and then validated on the v3
    API, this timezone information is missing (the 'Z' at the end of the
    timestamp), and thus cannot be validated as ISO 8601 extended format
    timestamps. This appears to affect all token formats.

Change-Id: Ibf0e65852a010c595e9f1154695d3884549d2cbc
Closes-Bug: #1476329