V3 Revoke token API is doing V2 style admin check

Bug #1186061 reported by Arvind Tiwari on 2013-05-31
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Guang Yee

Bug Description

V3 Revoke token API is doing V2 style admin check even if the caller is authorized based on auth policy. The APi call is landing at "keystone.token.controllers.delete_token" method which try to do assert_admin(context) which will fail if the call is not an V2 type admin.

API: DELETE http://localhost:35358/v3/auth/tokens

Below is the block of code from keystone.token.controllers.delete_token which does assert_admin checks

def delete_token(self, context, token_id):
      """Delete a token, effectively invalidating it for authz."""
      # TODO(termie): this stuff should probably be moved to middleware
      self.assert_admin(context)
      self.token_api.delete_token(context=context, token_id=token_id)

Changed in keystone:
assignee: nobody → Arvind Tiwari (arvind-tiwari)
description: updated
Dolph Mathews (dolph) on 2013-05-31
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
Guang Yee (guang-yee) wrote :

The problem was, for delete token, v3 aut controller is calling back to the v2 token controller. This problem is addressed in the new pluggable token management impl.

https://review.openstack.org/#/c/29021/

Changed in keystone:
assignee: Arvind Tiwari (arvind-tiwari) → Guang Yee (guang-yee)
status: Triaged → In Progress
Changed in keystone:
assignee: Guang Yee (guang-yee) → Adam Young (ayoung)
Changed in keystone:
assignee: Adam Young (ayoung) → Guang Yee (guang-yee)

Reviewed: https://review.openstack.org/33858
Committed: http://github.com/openstack/keystone/commit/c238ace30981877e5991874c5b193ea7d5107419
Submitter: Jenkins
Branch: master

commit c238ace30981877e5991874c5b193ea7d5107419
Author: Guang Yee <email address hidden>
Date: Thu Jun 20 10:06:17 2013 -0700

    Implements Pluggable V3 Token Provider

    Abstract V3 token provider backend to make token provider pluggable. It enables
    deployers to customize token management to add their own capabilities.
    Token provider is responsible for issuing, checking, validating, and
    revoking tokens. Note the distinction between token 'driver' and 'provider'.
    Token 'driver' simply provides token persistence. It does not issue or
    interpret tokens.

    Token provider is specified by the 'provider' property in the '[token]'
    section of the Keystone configuration file.

    Partially implemented blueprint pluggable-token-format.

    This patch also fixes bug 1186061.

    Change-Id: I755fb850765ea99e5237626a2e645e6ceb42a9d3

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-07-17
Changed in keystone:
milestone: none → havana-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers