Cache records for get_*_by_name are not invalidated on entity rename
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Morgan Fainberg | ||
Havana |
Won't Fix
|
Medium
|
Morgan Fainberg | ||
Icehouse |
Fix Released
|
Medium
|
Morgan Fainberg |
Bug Description
I have noticed in keystone code, that update_domain and update_project methods in assignment_api Manager invalidate cache for get_*_by_name() using new name, not the old one.
For example in update_domain() if you are changing domain name from 'OldName' to 'NewName', get_domain_
As a result the old name can be used in some requests until cache record is expired. For example if you rename a domain, old name can still be used for the authentication (note, caching should be enabled in keystone configuration):
1. Define domain by its name during login:
curl -X POST -H 'Content-type: application/json' -d '{"auth"
2. Change domain name:
curl -X PATCH -H 'Content-type: application/json' -H 'X-Auth-Token: indigitus' -d '{"domain"
3. Login using old domain name (copy command from step 1).
As a result Alice will be logged in, even though domain name specified is not available anymore.
Changed in keystone: | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: havana-backport-potential icehouse-backport-potential |
tags: | removed: havana-backport-potential icehouse-backport-potential |
Changed in keystone: | |
milestone: | none → juno-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-2 → 2014.2 |
To enable caching on DevStack modify /etc/keystone/ keystone. conf:
[cache] dogpile. cache.memory cache_backend= true # Not required but nice for debugging
backend=
enabled=true
debug_