Comment 6 for bug 1129713
Revision history for this message
| Dolph Mathews (dolph) wrote Re: Validation of PKI tokens bypasses revocation check | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
PKI tokens in Grizzly are enabled by default, so if a grizzly deployment is issuing PKI tokens to an older client, that client will attempt to perform online validation and hit this code path. Correct?
Adam: your patch appears to be completely removing support for belongsTo. Apparently we don't have test coverage on this particular feature, and I'm not aware that this feature is used within OpenStack, but it's definitely part of the v2.0 API that should be tested by suites like tempest. This is used to perform server-side validation that a token has authorization on a specific tenant in one of the following two calls:
GET /v2.0/tokens/
HEAD /v2.0/tokens/
The auth_token middleware does this same validation client-side, rather than asking keystone to do it server-side.
These two lines need to be restored:
- if belongs_to:
- assert data['access'