v2 token cache not correctly invalidated when using "Belongs To"

Bug #1226225 reported by Henry Nash on 2013-09-16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Henry Nash

Bug Description

v2 token deletion and validation methods take an optional "belongs_to" parameter, which is the tenant. Due to how sensitive the dogpile caching is on the parameters to validate_token, this can lead to problems where a token cache is not correctly cleared, for example, the following (pseudo test) will fail:

- create a scoped token for a user to a project
- check the token is valid, just using the token ID (without passing in belongs_to).....[this sets the cache]
- delete the token using the driver function delete_tokens, passing in user and tenant
- check if token is still valid, just using token ID (it will be return successfully from the cache - which is incorrect)
- check if token is still valid, token ID and tenant ID (it will not be found - which is correct)

The problem is in invalidate_individual_token_cache in the token provider, which already tries to handle the case of invalidating a token with and without a belongs_to tenant....but doesn't catch the case when dogpile has cached the key as "tokenID, None" as the parameters.

Thanks to morganfainberg for his help in debugging the above.

Henry Nash (henry-nash) on 2013-09-16
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
importance: Undecided → High
milestone: none → havana-rc1
description: updated
description: updated
description: updated
Changed in keystone:
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/46972

Changed in keystone:
status: Confirmed → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/47516

Reviewed: https://review.openstack.org/46972
Committed: http://github.com/openstack/keystone/commit/07a080d3d6f2bdc37daaf5105f3848d2450f8b17
Submitter: Jenkins
Branch: master

commit 07a080d3d6f2bdc37daaf5105f3848d2450f8b17
Author: Henry Nash <email address hidden>
Date: Tue Sep 17 16:32:35 2013 +0100

    Ensure v2 tokens are correctly invalidated when using BelongsTo

    Due to the optional paramater of the tenant on several v2 token
    validation methods, we need to ensure that calling token validation
    with different permutations of parameters does not lead to an incorrect
    cache value being returned. This is done by lifting the 'BelongsTo'
    checks out of the token backend and into the Manager, in a layer above
    where the token caching takes place.

    Fixes bug 1226225

    Change-Id: Ifa3162923ad41aac6a9e5d5b4996bc43dc9b11fb

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/47516
Committed: http://github.com/openstack/keystone/commit/05eddbdbc18611275563856fdac27328f2afae56
Submitter: Jenkins
Branch: master

commit 05eddbdbc18611275563856fdac27328f2afae56
Author: Dolph Mathews <email address hidden>
Date: Thu Sep 19 22:25:57 2013 -0500

    Add extra test coverage for unscoped token invalidation

    As noted in review https://review.openstack.org/#/c/46972/ - this is
    just adding a "missing" one-liner to make the test coverage symmetrical.

    Related-Bug: 1226225
    Change-Id: I6f008a149cc428fcbb023dd9daa0dae0db53aeac

Thierry Carrez (ttx) on 2013-10-02
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers