OpenStack Identity (keystone)

Remaining trust uses are consumed even when create token fails

Bug #1335037 reported by wanghong on 2014-06-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	wanghong	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

I think we should consume trust use only when getting token sucuess. But, currently if I get token fail the trust use will also be consumed. For example:
curl -i -H "Content-Type:application/json" http://127.0.0.1:35357/v3/auth/tokens -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}'

If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the trust(bcbddcc479304a8a8c39df24a87cce85), get token will fail:
{"error": {"message": "User is not a trustee. (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

But, the remaining uses of the trust will be consumed.

This is because we call "trust_api.consume_use" before "token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375, and issue_v3_token may be fail for some reasons.

wanghong (w-wanghong) on 2014-06-27

Changed in keystone:
assignee:	nobody → wanghong (w-wanghong)

Dolph Mathews (dolph) on 2014-06-27

summary:	- get token fail also consume trust use + Trusts are consumed even when create token fails
summary:	- Trusts are consumed even when create token fails + Limited trust uses are consumed even when create token fails
summary:	- Limited trust uses are consumed even when create token fails + Remaining trust uses are consumed even when create token fails
Changed in keystone:
importance:	Undecided → Medium
status:	New → Triaged

wanghong (w-wanghong) on 2014-06-28

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-30: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/103445

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-31: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/103445
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f6a266972ddc1c2b2eda2e225c22eed623ce5a9a
Submitter: Jenkins
Branch: master

commit f6a266972ddc1c2b2eda2e225c22eed623ce5a9a
Author: wanghong <email address hidden>
Date: Mon Jun 30 10:54:53 2014 +0800

Do not consume trust uses when create token fails

    Currently, remaining trust uses are consumed even when create token
    fails. We should only consume trust uses when successfully creating
    a token.

Change-Id: I55a726250312fa81ed9556dfd530e96f72548930
Closes-Bug: #1335037

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-09-04

Changed in keystone:
milestone:	none → juno-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-3 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.