OpenStack Identity (keystone)

Tokens are revoked when assigning a role to a group

Bug #1187359 reported by Dolph Mathews on 2013-06-04

14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Medium	Unassigned

Bug Description

Bug 1170186 changed user role assignments such that they do not revoke the user's tokens. After that patch merged, it was caught in code review that group role assignments result in the same behavior (mass token revocation). This behavior is unnecessary and should be removed for the same reasons as cited in the above bug.

Dolph Mathews (dolph) on 2013-06-04

tags:	added: grizzly-backport-potential
summary:	- Tokens are revoked when adding a user to a group + Tokens are revoked when assigning a role to a group

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2013-06-04:

#1

Dolph: I think the first description was correct. Assigning user to a group, also revokes the user's token.

For the case of assigning a role to a group, I haven't test this case yet if it will revokes the group member's token.

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-06-05:

#2

Hmm, both scenarios are worth testing!

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2013-07-10:

#3

Validated that assigning role to a Group does not revoke the token of the members.

However, revoking roles from a User or Group revokes the tokens. Is that the expected behavior?

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-07-10:

#4

Yes, as a consequence of changing the user's source of authorization, existing tokens are revoked.

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2013-07-10:

#5

I think you can just close this bug.

Assigning role to User/Group does not revoke the token.

Revoking role fromUser/Group revoke the token.

The behavior seems right from security perspective. If you're revoking access, you want that to be effective immediately. And adding grants does not need to be effective immediately, so revoking token is not necessary.

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-07-11:

#6

Thanks for looking into it! If you have any new tests to assert the above, they'd be appreciated.

Changed in keystone:
assignee:	Dolph Mathews (dolph) → nobody
status:	Confirmed → Invalid

Alan Pevec (apevec) on 2013-08-04

tags:

removed: grizzly-backport-potential

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.