Deleting a role should revoke any tokens associated with it

Bug #1153645 reported by Henry Nash on 2013-03-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Henry Nash

Bug Description

When we delete a role, we delete all the grants associated with it. Since this is a bit like an enforced revoking of user/groups grants, we should invalidate any tokens:

- for users that have had any grant using this role
- for users of any group that has had a grant using this role

Dolph Mathews (dolph) on 2013-06-10
Changed in keystone:
status: New → Confirmed
Lawrance (jing) wrote :

mark

Dolph Mathews (dolph) wrote :

Is this still and issue?

Henry Nash (henry-nash) wrote :

Yes, the problem still exists - and is that delete_role is expanded out into the various removal of role assignments from the nest of metadata tables at the driver level, while our token deletion for a user is at the controller level...so need to refactor the code.

Dolph Mathews (dolph) on 2013-09-10
Changed in keystone:
milestone: none → havana-rc1
Henry Nash (henry-nash) on 2013-09-11
Changed in keystone:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/46613
Committed: http://github.com/openstack/keystone/commit/c80282c3bee1ed1ee2ac5f1a4a9e5b1f56d4e6d2
Submitter: Jenkins
Branch: master

commit c80282c3bee1ed1ee2ac5f1a4a9e5b1f56d4e6d2
Author: Henry Nash <email address hidden>
Date: Tue Sep 17 16:32:35 2013 +0100

    Ensure any relevant tokens are revoked when a role is deleted

    Add a controller class method to delete tokens for a role, along the
    lines of those that exist for deleting tokens for user and project. Ensure
    this is called for both the V2 and V3 delete_role APIs.

    Fixes bug 1153645

    Change-Id: I3c8d70eeb387a18c30df489142ea3aefc2224ae3

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-10-02
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers