Comment 5 for bug 1179955

If the token is tenant scoped .. would make sense to disable token?

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dolph Mathews
Sent: Tuesday, June 04, 2013 2:21 PM
To: Bhandaru, Malini K
Subject: [Bug 1179955] Re: Disabling a tenant would not disable a user token

satya-patibandla: didn't mean to hijack this if you have a solution. I just wanted to put tests up to demonstrate

--
You received this bug notification because you are subscribed to Keystone.
Matching subscriptions: keystone
https://bugs.launchpad.net/bugs/1179955

Title:
  Disabling a tenant would not disable a user token

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  Using keystone/python-keystoneclient master as of today when disabling
  a tenant would not disable the users attached to the and would still
  have access.

  I would not mind to fix it but I want to make sure first if this is
  something done by design or I am missing something.

  Here is a transcript of my tests :

  # Here is the list of my tenants all enabled and nice (devstack default)
  chmouel@vm:~$ keystone tenant-list
  +----------------------------------+--------------------+---------+
  | id | name | enabled |
  +----------------------------------+--------------------+---------+
  | 1f1aeeace0db41e3966a4873877c4dde | admin | True |
  | b39f8b007abe472b93ebb5c7fdd80c98 | demo | True |
  | 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin | True |
  | 13fe49ee5e0144d0acd0c89fb901a248 | service | True |
  +----------------------------------+--------------------+---------+

  # Let's store the DEMO_TENANT_ID for later
  chmouel@vm:~$ DEMO_TENANT=b39f8b007abe472b93ebb5c7fdd80c98

  # getting a token with this script available here http://p.chmouel.com/ks which
  chmouel@vm:~$ ks localhost demo:demo ADMIN
  [...]

  # Using the token I can access to my swift account properly all good here.
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: tx390b2fb557fb4cb48a082-0051923f3b
  Date: Tue, 14 May 2013 13:42:19 GMT

  # Now let's try to disable that tenant
  chmouel@vm:~$ keystone tenant-update --enabled false ${DEMO_TENANT}

  # tenant is disabled all good
  chmouel@vm:~$ keystone tenant-list
  +----------------------------------+--------------------+---------+
  | id | name | enabled |
  +----------------------------------+--------------------+---------+
  | 1f1aeeace0db41e3966a4873877c4dde | admin | True |
  | b39f8b007abe472b93ebb5c7fdd80c98 | demo | False |
  | 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin | True |
  | 13fe49ee5e0144d0acd0c89fb901a248 | service | True |
  +----------------------------------+--------------------+---------+

  # we still have access with that same token since it's properly in memcache
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: txf9d27a7a8a034304b13cb-0051923f6f
  Date: Tue, 14 May 2013 13:43:11 GMT

  # let's restart memcache to clear it
  chmouel@vm:~$ sudo /etc/init.d/memcached restart
  Restarting memcached: memcached.

  # but we still have access.
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: txbe0c0caf533a4f6e98345-0051923f97
  Date: Tue, 14 May 2013 13:43:51 GMT

  the json reply when validating token says that the tenant is still
  enabled even if it's disabled :

  u'tenant': {u'description': None, u'enabled': True, u'id':
  u'b39f8b007abe472b93ebb5c7fdd80c98', u'name': u'demo'}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179955/+subscriptions