Role revocation invalidates tokens on all user projects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Alexander Makarov | ||
Kilo |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Keystone invalidates every token for a user after changing its roles within one project.
This was reported by Horizon team, here are related bugs:
- https:/
- https:/
After some debugging I discovered, that it looks like revocation extension bug:
I added this test case to tests.test_
http://
It assigns role to user on 2 different project, authorizes user on those projects, revokes the role from one of the projects.
Token to the other, "intact" project, seizes to validate.
Further investigation gave me that token is not deleted, but a revocation event created matching both tokens.
Changed in keystone: | |
assignee: | nobody → Alexander Makarov (amakarov) |
status: | New → In Progress |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | none → kilo-3 |
tags: | added: juno-backport-potential |
Changed in keystone: | |
milestone: | kilo-3 → none |
Changed in keystone: | |
milestone: | none → kilo-rc1 |
tags: | added: kilo-rc-potential |
Changed in keystone: | |
milestone: | kilo-rc1 → none |
milestone: | none → kilo-rc1 |
tags: | removed: kilo-rc-potential |
Changed in keystone: | |
assignee: | Alexander Makarov (amakarov) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Alexander Makarov (amakarov) |
Changed in keystone: | |
milestone: | kilo-rc1 → liberty-1 |
Changed in keystone: | |
status: | New → In Progress |
Changed in keystone: | |
milestone: | liberty-1 → liberty-2 |
Changed in keystone: | |
status: | In Progress → Fix Committed |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
tags: | added: kilo-backport-potential |
Changed in keystone: | |
milestone: | liberty-2 → 8.0.0 |
Just after deleting assignment 3 events are created (why not 1?):
Other project: 2bfd2684ec6f4c9 abe0625c46ae66e 13 3a19c6ee8dcce40 96 datetime( 2014, 12, 12, 15, 36, 41, 275441), e3a19c6ee8dcce4 096', datetime( 2014, 12, 12, 15, 36, 41, 275441), 1c8bbba89f477ae a4f', c89aee38035a287 5ff'} datetime( 2014, 12, 12, 15, 36, 41, 278620), datetime( 2014, 12, 12, 15, 36, 41, 278620), c89aee38035a287 5ff'} datetime( 2014, 12, 12, 15, 36, 41, 279114), datetime( 2014, 12, 12, 15, 36, 41, 279114), c89aee38035a287 5ff'}
Project: ba60d9c3c10c41e
{'access_token_id': None,
'audit_chain_id': None,
'audit_id': None,
'consumer_id': None,
'domain_id': None,
'domain_scope_id': None,
'expires_at': None,
'issued_before': datetime.
'project_id': 'ba60d9c3c10c41
'revoked_at': datetime.
'role_id': '9edfd58adf244f
'trust_id': None,
'user_id': '0d361672da5547
{'access_token_id': None,
'audit_chain_id': None,
'audit_id': None,
'consumer_id': None,
'domain_id': None,
'domain_scope_id': None,
'expires_at': None,
'issued_before': datetime.
'project_id': None,
'revoked_at': datetime.
'role_id': None,
'trust_id': None,
'user_id': '0d361672da5547
{'access_token_id': None,
'audit_chain_id': None,
'audit_id': None,
'consumer_id': None,
'domain_id': None,
'domain_scope_id': None,
'expires_at': None,
'issued_before': datetime.
'project_id': None,
'revoked_at': datetime.
'role_id': None,
'trust_id': None,
'user_id': '0d361672da5547