OpenStack Identity (keystone)

Role revocation invalidates tokens on all user projects

Bug #1401926 reported by Alexander Makarov on 2014-12-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Alexander Makarov	OpenStack Identity (keystone) 8.0.0 "liberty"
	Kilo	Fix Released	Undecided	Unassigned	OpenStack Identity (keystone) 2015.1.3

Bug Description

Keystone invalidates every token for a user after changing its roles within one project.
This was reported by Horizon team, here are related bugs:
- https://bugs.launchpad.net/mos/+bug/1393732
- https://bugs.launchpad.net/horizon/+bug/1252341

After some debugging I discovered, that it looks like revocation extension bug:

I added this test case to tests.test_v3_auth.TestTokenRevokeById

http://paste.openstack.org/show/149939/

It assigns role to user on 2 different project, authorizes user on those projects, revokes the role from one of the projects.
Token to the other, "intact" project, seizes to validate.

Further investigation gave me that token is not deleted, but a revocation event created matching both tokens.

Tags:

OpenStack Infra (hudson-openstack) on 2014-12-12

Changed in keystone:
assignee:	nobody → Alexander Makarov (amakarov)
status:	New → In Progress

Revision history for this message

Alexander Makarov (amakarov) wrote on 2014-12-12:

Just after deleting assignment 3 events are created (why not 1?):

Other project: 2bfd2684ec6f4c9abe0625c46ae66e13
Project: ba60d9c3c10c41e3a19c6ee8dcce4096
{'access_token_id': None,
'audit_chain_id': None,
'audit_id': None,
'consumer_id': None,
'domain_id': None,
'domain_scope_id': None,
'expires_at': None,
'issued_before': datetime.datetime(2014, 12, 12, 15, 36, 41, 275441),
'project_id': 'ba60d9c3c10c41e3a19c6ee8dcce4096',
'revoked_at': datetime.datetime(2014, 12, 12, 15, 36, 41, 275441),
'role_id': '9edfd58adf244f1c8bbba89f477aea4f',
'trust_id': None,
'user_id': '0d361672da5547c89aee38035a2875ff'}
{'access_token_id': None,
'audit_chain_id': None,
'audit_id': None,
'consumer_id': None,
'domain_id': None,
'domain_scope_id': None,
'expires_at': None,
'issued_before': datetime.datetime(2014, 12, 12, 15, 36, 41, 278620),
'project_id': None,
'revoked_at': datetime.datetime(2014, 12, 12, 15, 36, 41, 278620),
'role_id': None,
'trust_id': None,
'user_id': '0d361672da5547c89aee38035a2875ff'}
{'access_token_id': None,
'audit_chain_id': None,
'audit_id': None,
'consumer_id': None,
'domain_id': None,
'domain_scope_id': None,
'expires_at': None,
'issued_before': datetime.datetime(2014, 12, 12, 15, 36, 41, 279114),
'project_id': None,
'revoked_at': datetime.datetime(2014, 12, 12, 15, 36, 41, 279114),
'role_id': None,
'trust_id': None,
'user_id': '0d361672da5547c89aee38035a2875ff'}

Revision history for this message

Alexander Makarov (amakarov) wrote on 2014-12-15:

Moreover, if the user belongs to the group which role to any project is removed, then all user's tokens, created before are considered revoked.

Lance Bragstad (lbragstad) on 2014-12-16

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-16: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/142099

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-12-16:

Proposed the test case that was provided to review. Depending on the fix, the test should be refactored. I was able to recreate this.

Revision history for this message

Alexander Makarov (amakarov) wrote on 2014-12-16:

@Lance, looks like I wrote incorrect commit message here: https://review.openstack.org/#/c/141397/
It contains quick&dirty solution, so WIP for now :)

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-12-16:

Ah, I didn't see that. Not sure why that didn't get picked up in the bug report?

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-12-16:

Either patch works for me. I at least wanted to get something pushed up that exposed the bug initially.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-12: Change abandoned on keystone (master)

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/142099
Reason: This review https://review.openstack.org/#/c/141854/ has made some progress and it was agreed that the fix would be continued there.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-12:

Change abandoned by Alexander Makarov (<email address hidden>) on branch: master
Review: https://review.openstack.org/141397
Reason: Patch solving revocation problem: https://review.openstack.org/#/c/141854/

Dolph Mathews (dolph) on 2015-03-05

Changed in keystone:
milestone:	none → kilo-3
tags:	added: juno-backport-potential

Morgan Fainberg (mdrnstm) on 2015-03-17

Changed in keystone:
milestone:	kilo-3 → none

Lance Bragstad (lbragstad) on 2015-03-18

Changed in keystone:
milestone:	none → kilo-rc1

Morgan Fainberg (mdrnstm) on 2015-03-25

tags:	added: kilo-rc-potential
Changed in keystone:
milestone:	kilo-rc1 → none
milestone:	none → kilo-rc1
tags:	removed: kilo-rc-potential

OpenStack Infra (hudson-openstack) on 2015-03-31

Changed in keystone:
assignee:	Alexander Makarov (amakarov) → Adam Young (ayoung)

OpenStack Infra (hudson-openstack) on 2015-04-03

Changed in keystone:
assignee:	Adam Young (ayoung) → Alexander Makarov (amakarov)

Morgan Fainberg (mdrnstm) on 2015-04-06

Changed in keystone:
milestone:	kilo-rc1 → liberty-1

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-04-15: Fix proposed to openstack/keystone (openstack-ci/fuel-6.1/2014.2)

#10

Fix proposed to branch: openstack-ci/fuel-6.1/2014.2
Change author: Alexander Makarov <email address hidden>
Review: https://review.fuel-infra.org/5776

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-04-15:

#11

Fix proposed to branch: openstack-ci/fuel-6.1/2014.2
Change author: Alexander Makarov <email address hidden>
Review: https://review.fuel-infra.org/5777

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-04-15: Change abandoned on openstack/keystone (openstack-ci/fuel-6.1/2014.2)

#12

Change abandoned by Alexander Makarov <email address hidden> on branch: openstack-ci/fuel-6.1/2014.2
Review: https://review.fuel-infra.org/5776
Reason: In favor of 5776 which has the same ChangeId as the upstream patch

Changed in keystone:
status:	In Progress → New

OpenStack Infra (hudson-openstack) on 2015-04-24

Changed in keystone:
status:	New → In Progress

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
milestone:	liberty-1 → liberty-2

OpenStack Infra (hudson-openstack) on 2015-07-07

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-07-14:

#13

I was hoping a fix for this could be backported, but it doesn't look like the final solution is backportable:

https://review.openstack.org/#/c/141854/

tags:

removed: juno-backport-potential

Doug Hellmann (doug-hellmann) on 2015-07-29

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-24: Fix proposed to keystone (stable/kilo)

#14

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/216354

Davanum Srinivas (DIMS) (dims-v) on 2015-08-26

tags:

added: kilo-backport-potential

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-2 → 8.0.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-21: Fix merged to keystone (stable/kilo)

#15

Reviewed: https://review.openstack.org/216354
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=369d08d1c6f1c30abb09440b3ed06e7e5266b1ec
Submitter: Jenkins
Branch: stable/kilo

commit 369d08d1c6f1c30abb09440b3ed06e7e5266b1ec
Author: Alexander Makarov <email address hidden>
Date: Mon Dec 15 20:25:01 2014 +0300

Group role revocation invalidates all user tokens

Keystone invalidates every token for a user after revoking one group role
within one project.

This patch replaces 'invalidate user's everything' logic with revocation by
grant via notifications for delete_grant assignment operation.

    Closes-Bug: #1402760
    Closes-Bug: #1401926
    (cherry picked from commit 2cf743d6de3afcb1a0aa3d4c219b3c4bcea29008)

    There was one conflict fixed by hand in core.py. The test case had to be
    adjusted as driver='kvs' and driver='uuid' (test_v3_auth.py)
    will not work in the stable/kilo release.

# Conflicts:
#>------keystone/assignment/core.py

Change-Id: If9d0fefe43da96ba5e6b6ffc809b9f15e8d732f7

tags:

added: in-stable-kilo

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.