OpenStack Identity (keystone)

Cache records for get_*_by_name are not invalidated on entity rename

Bug #1311142 reported by Yuriy Chemerys on 2014-04-22

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	Medium	Morgan Fainberg	OpenStack Identity (keystone) 2014.2 "juno"
Havana	Won't Fix	Medium	Morgan Fainberg
Icehouse	Fix Released	Medium	Morgan Fainberg	OpenStack Identity (keystone) 2014.1.2

Bug Description

I have noticed in keystone code, that update_domain and update_project methods in assignment_api Manager invalidate cache for get_*_by_name() using new name, not the old one.

For example in update_domain() if you are changing domain name from 'OldName' to 'NewName', get_domain_by_name.invalidate() is called with 'NewName' as argument. See:

https://github.com/openstack/keystone/blob/1e948043fe2456bd91b398317c71c665d69e9935/keystone/assignment/core.py#L320

As a result the old name can be used in some requests until cache record is expired. For example if you rename a domain, old name can still be used for the authentication (note, caching should be enabled in keystone configuration):

1. Define domain by its name during login:
curl -X POST -H 'Content-type: application/json' -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"name":"Alice","domain":{"name": "OldName"}, "password":"A12345678"}}}}}' -v http://192.168.56.101:5000/v3/auth/tokens

2. Change domain name:
curl -X PATCH -H 'Content-type: application/json' -H 'X-Auth-Token: indigitus' -d '{"domain":{"name":"NewName"}}' http://192.168.56.101:5000/v3/domains/7e0629d4e31b4c5591a4a10d0b8931df

3. Login using old domain name (copy command from step 1).

As a result Alice will be logged in, even though domain name specified is not available anymore.

Tags:

Revision history for this message

Yuriy Chemerys (ychemerys) wrote on 2014-04-22:

To enable caching on DevStack modify /etc/keystone/keystone.conf:

    [cache]
    backend=dogpile.cache.memory
    enabled=true
    debug_cache_backend=true # Not required but nice for debugging

Dolph Mathews (dolph) on 2014-04-22

Changed in keystone:
importance:	Undecided → Medium
status:	New → Triaged
tags:	added: havana-backport-potential icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-01: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/97082

Changed in keystone:
assignee:	nobody → Morgan Fainberg (mdrnstm)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-12: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/99568

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-14: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/99568
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=091730c4ae1434dcb75f4ebbb4184c1de88d2cef
Submitter: Jenkins
Branch: master

commit 091730c4ae1434dcb75f4ebbb4184c1de88d2cef
Author: Morgan Fainberg <email address hidden>
Date: Wed Jun 11 21:44:29 2014 -0700

Make sure domains are enabled by default

    Domains without an explicit 'enabled' key in the dict will now be
    handled in the same way as projects are. This will ensure that
    the KVS backend produces the same result as the SQL backend for
    assignment.

Change-Id: I3b6d26278329841cfe1be5ce7f67ba6d3569785f
Related-Bug: #1311142

Revision history for this message

Yuriy Chemerys (ychemerys) wrote on 2014-06-16:

Looks like review from comment #4 refers the wrong bug.

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-06-16:

Yuriy: it's only referring to this bug in that it's related to this bug, not that the patch is intended to close this bug (hence the bot left the status as In Progress). Comment #2 links to the patch to close this bug.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-19: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/97082
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5777f84451aadb421800c7411919e6b9518b5653
Submitter: Jenkins
Branch: master

commit 5777f84451aadb421800c7411919e6b9518b5653
Author: Morgan Fainberg <email address hidden>
Date: Wed Jun 11 21:44:29 2014 -0700

Properly invalidate cache for get_*_by_name methods

    Use the original name for invalidating the cache on the
    get_project_by_name and get_domain_by_name when performing update
    operations on the name attributes.

Change-Id: If58a3b0a47501096f9fa9eb9cd7a6057f7b29298
Closes-Bug: #1311142

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-19: Related fix proposed to keystone (stable/icehouse)

Related fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/101081

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-19: Fix proposed to keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/101082

Morgan Fainberg (mdrnstm) on 2014-06-26

tags:

removed: havana-backport-potential icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-26: Related fix proposed to keystone (stable/havana)

#10

Related fix proposed to branch: stable/havana
Review: https://review.openstack.org/102691

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-26: Fix proposed to keystone (stable/havana)

#11

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/102692

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-26: Related fix merged to keystone (stable/icehouse)

#12

Reviewed: https://review.openstack.org/101081
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e08b62a4ebe9ecf3d05be9ee7f3e3d45da472c0b
Submitter: Jenkins
Branch: stable/icehouse

commit e08b62a4ebe9ecf3d05be9ee7f3e3d45da472c0b
Author: Morgan Fainberg <email address hidden>
Date: Wed Jun 18 18:40:59 2014 -0700

Make sure domains are enabled by default

Change-Id: I3b6d26278329841cfe1be5ce7f67ba6d3569785f
Related-Bug: #1311142

tags:

added: in-stable-icehouse

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-27: Fix merged to keystone (stable/icehouse)

#13

Reviewed: https://review.openstack.org/101082
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cef4fbc9971e87cc822900ef3b6e0ec6029e5fa0
Submitter: Jenkins
Branch: stable/icehouse

commit cef4fbc9971e87cc822900ef3b6e0ec6029e5fa0
Author: Morgan Fainberg <email address hidden>
Date: Wed Jun 18 18:38:19 2014 -0700

Properly invalidate cache for get_*_by_name methods

    Use the original name for invalidating the cache on the
    get_project_by_name and get_domain_by_name when performing update
    operations on the name attributes.

Change-Id: If58a3b0a47501096f9fa9eb9cd7a6057f7b29298
Closes-Bug: #1311142

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-29: Related fix proposed to keystone (stable/icehouse)

#14

Related fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/103418

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-29: Related fix proposed to keystone (master)

#15

Related fix proposed to branch: master
Review: https://review.openstack.org/103419

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-30: Related fix merged to keystone (master)

#16

Reviewed: https://review.openstack.org/103419
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=49109f1ccaefa99535cf0a3bad2b9b4f7d9534cd
Submitter: Jenkins
Branch: master

commit 49109f1ccaefa99535cf0a3bad2b9b4f7d9534cd
Author: Morgan Fainberg <email address hidden>
Date: Sun Jun 29 09:58:30 2014 -0700

Fix test for get_*_by_name invalidation

Use the correct .get_*by_name method for project and domain to
populate the cache instead of get by id when testing.

Change-Id: Ie1c02183688b0d928edc8d9c90a785cd98998377
Related-Bug: #1311142

Russell Bryant (russellb) on 2014-07-24

Changed in keystone:
milestone:	none → juno-2
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-31: Change abandoned on keystone (stable/icehouse)

#17

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/103418

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-31: Change abandoned on keystone (stable/havana)

#18

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: stable/havana
Review: https://review.openstack.org/102691
Reason: New behavior required to get fix in. abandoning as inappropriate for havana backport.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-31:

#19

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: stable/havana
Review: https://review.openstack.org/102692
Reason: New behavior required to get fix in. abandoning as inappropriate for havana backport.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-07-31:

#20

New behavior required to get fix in. abandoning as inappropriate for havana backport.

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-2 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.