Fernet tokens do not support domain scopes

Bug #1428949 reported by Dolph Mathews on 2015-03-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Morgan Fainberg

Bug Description

Attempting to get a domain-scoped token with the Fernet token provider returns a token - everything appears to have worked. When validating that token though, it appears to be unpacked as a project-scoped token, which ultimately fails.

The short of it is that domain-scope support doesn't really exist yet, and the current behavior will only work if the hierarchical multitenancy effort successfully migrates domains to be projects.

Fix proposed to branch: master
Review: https://review.openstack.org/162031

Changed in keystone:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/162196

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/162196
Reason: landing discrete changes instead

Changed in keystone:
assignee: Dolph Mathews (dolph) → Lance Bragstad (lbragstad)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Jorge Munoz (jorge-munoz)
Changed in keystone:
assignee: Jorge Munoz (jorge-munoz) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Morgan Fainberg (mdrnstm)

Reviewed: https://review.openstack.org/162031
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a9fa7e315dbc8e881f4d5c793d75cb24e1fc2499
Submitter: Jenkins
Branch: master

commit a9fa7e315dbc8e881f4d5c793d75cb24e1fc2499
Author: Dolph Mathews <email address hidden>
Date: Thu Mar 5 22:01:53 2015 +0000

    Drop Fernet token prefixes & add domain-scoped Fernet tokens

    - Move the payload version (part of the plaintext token prefix) into the
      integrity verified portion of the token (the payload). This also drops
      the 'F', which doesn't serve a purpose with Fernet tokens as it does
      with token formats that can be validated offline (PKI, PKIZ). This
      requires a bunch of refactoring to move the responsibility of
      decrypting, unpacking, and disassembling the payload contents to the
      caller (the Provider).

    - Add a domain-scoped payload format, identical to that for
      project-scoped tokens, just with a different version number. Better
      functional tests revealed that tests intended to exercise
      domain-scoped Fernet tokens, which didn't exist, should not have been
      passing.

    - Remove remaining functional tests from the unit test suite
      (test_fernet_provider), and ensure that same coverage exists in the
      actual functional test suite (test_v3_auth). Several of the unit tests
      required heavy refactoring due to the refactoring required to support
      the first item above, so it was easier just to dump those tests in
      favor of better functional test coverage, which are agnostic to the
      implementation details.

    Change-Id: I141f2707a391d46d9607710b30155b76de2f88f0
    Closes-Bug: 1427485
    Closes-Bug: 1428949

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2015-03-19
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers