Unscoped tokens are revoked when assigning a role to a user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Lin Hua Cheng | ||
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dolph Mathews | ||
Grizzly |
Fix Released
|
High
|
Dirk Mueller |
Bug Description
Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4a
+------
| id | valid |
+------
| 067bb96c5ee3491
| 3ba0ee57018c400
| cdb6fe2a1d23477
| e0f66872d37b4c8
+------
--------> Then I added that user to a project
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4a
Empty set (0.00 sec)
--------> All tokens no matter what scope became invalid
This also relates to the bugs filed in Horizon
https:/
https:/
description: | updated |
description: | updated |
description: | updated |
Changed in horizon: | |
milestone: | havana-1 → havana-2 |
tags: | added: grizzly-backport-potential |
Changed in horizon: | |
assignee: | nobody → Lin Hua Cheng (lin-hua-cheng) |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | none → havana-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | havana-2 → 2013.2 |
Changed in horizon: | |
milestone: | havana-2 → 2013.2 |
tags: | removed: grizzly-backport-potential |
diff --git a/keystone/ identity/ controllers. py b/keystone/ identity/ controllers. py identity/ controllers. py identity/ controllers. py .V2Controller) :
index e82b81f..7676195 100644
--- a/keystone/
+++ b/keystone/
@@ -299,7 +299,7 @@ class Role(controller
- self._delete_
+ self._delete_
role_ref = self.identity_ api.get_ role(context, role_id)
return {'role': role_ref}