When using the memcache token backend, In cases where token revocations (bulk revocations) that rely on the trustee's token-index-list to perform the revocations - the revocations cannot occur. This is because trustee tokens are added only to the trustor's token list. This appears to only be an issue for trusts with impersonation enabled. This is most noticeable when the trustee user is disabled or the trustee changes a password. I am sure there are other related scenarios.
Check the memcache token lists, the admin user should have 1 token (used to create the trust), the demo user should have 2 tokens (initial token, and trust token)
vagrant@precise64:~/devstack$ telnet localhost 11211
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
get usertokens-46c9e36c50c14dfab36b6511d6ebedd4
VALUE usertokens-46c9e36c50c14dfab36b6511d6ebedd4 0 104
"1bb6a8abc42e1d1a944e08a20de20a91","ee512379a66027733001648799083349"
END
get usertokens-36240e5f6ed04857bf15d08a519b6e37
VALUE usertokens-36240e5f6ed04857bf15d08a519b6e37 0 34
"36df008ec5b5d3dd6983c8fe84d407f6"
This does not affect the SQL or KVS backends. This will affect Master (until KVS refactor is complete), Havana, and Grizzly. The reason for this occurring is a lack of testing against the memcache backend itself (and it’s logic). With the refactor of KVS (keyvaluestore) it will ensure the testing is the same against all KVS (memcache, in-memory, redis, etc) backends since the interfaces work in the same manner/mechanism.
When using the memcache token backend, In cases where token revocations (bulk revocations) that rely on the trustee's token-index-list to perform the revocations - the revocations cannot occur. This is because trustee tokens are added only to the trustor's token list. This appears to only be an issue for trusts with impersonation enabled. This is most noticeable when the trustee user is disabled or the trustee changes a password. I am sure there are other related scenarios.
Example reproduction -
Create the trust:
curl -H "X-Auth-Token: $TOKEN" -X POST http:// 127.0.0. 1:35357/ v3/OS-TRUST/ trusts -d '{"trust" :{"impersonatio n": true, "project_id": "9b2c18a72c8a47 7b891b48931c26c ebe", "roles": [{"name" :"admin" }],"trustee_ user_id" :"36240e5f6ed04 857bf15d08a519b 6e37"," trustor_ user_id" :"46c9e36c50c14 dfab36b6511d6eb edd4"}} ' -H 'Content-Type: application/json'
RESPONSE:
"expires_ at": null, 9d8a84a7f253e20 924",
"impersonation ": true, 172.16. 30.195: 5000/v3/ OS-TRUST/ trusts/ 0d2dc361043d4f9 d8a84a7f253e209 24"
"project_ id": "9b2c18a72c8a47 7b891b48931c26c ebe",
"id": "0bd1d61badd742 bebc044dc246a43 513",
"links" : {
" self": "http:// 172.16. 30.195: 5000/v3/ roles/0bd1d61ba dd742bebc044dc2 46a43513"
"name" : "admin"
"roles_ links": {
"previous" : null, 172.16. 30.195: 5000/v3/ OS-TRUST/ trusts/ 0d2dc361043d4f9 d8a84a7f253e209 24/roles"
"trustee_ user_id" : "36240e5f6ed048 57bf15d08a519b6 e37",
"trustor_ user_id" : "46c9e36c50c14d fab36b6511d6ebe dd4"
{
"trust": {
"id": "0d2dc361043d4f
"links": {
"self": "http://
},
"roles": [
{
},
}
],
"next": null,
"self": "http://
},
}
}
Consume the trust:
vagrant@ precise64: ~/devstack$ cat trust_token.json
"methods" : [
"token"
"token" : {
"id": "<PKI TOKEN ID>"
"OS- TRUST:trust" : {
"id": "0d2dc361043d4f 9d8a84a7f253e20 924"
{
"auth": {
"identity": {
],
}
},
"scope": {
}
}
}
}
curl -si -d @trust_token.json -H 'Content-Type: application/json' -X POST http:// localhost: 35357/v3/ auth/tokens
RESPONSE:
{
"OS-TRUST: trust": { 9d8a84a7f253e20 924",
"impersona tion": true,
"trustee_ user": {
"id": "36240e5f6ed048 57bf15d08a519b6 e37"
"trustor_ user": {
"id": "46c9e36c50c14d fab36b6511d6ebe dd4"
"expires_ at": "2013-12- 12T20:06: 00.239812Z" ,
"issued_ at": "2013-12- 11T20:10: 22.224381Z" ,
"token" ,
"password"
"domain" : {
"id": "default",
"name" : "Default" 7b891b48931c26c ebe",
"id": "0bd1d61badd742 bebc044dc246a43 513",
"name" : "admin"
"domain" : {
"id": "default",
"name" : "Default" fab36b6511d6ebe dd4",
"token": {
"id": "0d2dc361043d4f
},
}
},
"catalog": [
... <SNIP FOR BREVITY>
],
"extras": {},
"methods": [
],
"project": {
},
"id": "9b2c18a72c8a47
"name": "admin"
},
"roles": [
{
}
],
"user": {
},
"id": "46c9e36c50c14d
"name": "admin"
}
}
}
Check the memcache token lists, the admin user should have 1 token (used to create the trust), the demo user should have 2 tokens (initial token, and trust token)
vagrant@ precise64: ~/devstack$ telnet localhost 11211 46c9e36c50c14df ab36b6511d6ebed d4 46c9e36c50c14df ab36b6511d6ebed d4 0 104 1a944e08a20de20 a91","ee512379a 660277330016487 99083349" 36240e5f6ed0485 7bf15d08a519b6e 37 36240e5f6ed0485 7bf15d08a519b6e 37 0 34 dd6983c8fe84d40 7f6"
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
get usertokens-
VALUE usertokens-
"1bb6a8abc42e1d
END
get usertokens-
VALUE usertokens-
"36df008ec5b5d3
This does not affect the SQL or KVS backends. This will affect Master (until KVS refactor is complete), Havana, and Grizzly. The reason for this occurring is a lack of testing against the memcache backend itself (and it’s logic). With the refactor of KVS (keyvaluestore) it will ensure the testing is the same against all KVS (memcache, in-memory, redis, etc) backends since the interfaces work in the same manner/mechanism.
The root of this issue stems from the old KVS and SQL systems being less strict on matching trust scoped tokens: git.openstack. org/cgit/ openstack/ keystone/ tree/keystone/ token/backends/ kvs.py? id=cc0c6565e3fe 6ed60543e6ebd5e 54cba51e59fc6# n86 git.openstack. org/cgit/ openstack/ keystone/ tree/keystone/ token/backends/ sql.py? id=cc0c6565e3fe 6ed60543e6ebd5e 54cba51e59fc6# n126
(KVS) http://
(SQL) http://
Whereas memcache needs to use the user-index to determine tokens for a given user before matching against the trust scope: git.openstack. org/cgit/ openstack/ keystone/ tree/keystone/ token/backends/ memcache. py?id=cc0c6565e 3fe6ed60543e6eb d5e54cba51e59fc 6#n190
http://