OpenStack Identity (keystone)

Revoking a role assignment revokes unscoped tokens too

Bug #1488208 reported by Dolph Mathews on 2015-08-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Dolph Mathews	OpenStack Identity (keystone) 8.0.0 "liberty"
	Kilo	Won't Fix	Medium	Dolph Mathews	OpenStack Identity (keystone) 2015.1.3

Bug Description

When you delete a role assignment using a user+role+project pairing, unscoped tokens between the user+project are unnecessarily revoked as well. In fact, two events are created for each role assignment deletion (one that is scoped correctly and one that is scoped too broadly).

The test failure in https://review.openstack.org/#/c/216236/ illustrates this issue:

http://logs.openstack.org/36/216236/1/check/gate-keystone-python27/3f44af1/

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-24: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/216367

Changed in keystone:
assignee:	nobody → Dolph Mathews (dolph)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-24:

Fix proposed to branch: master
Review: https://review.openstack.org/216391

Dolph Mathews (dolph) on 2015-08-25

tags:

added: kilo-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-11: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/216391
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5ced3c77430d9a0bd871d5387c9aadb9df1c0060
Submitter: Jenkins
Branch: master

commit 5ced3c77430d9a0bd871d5387c9aadb9df1c0060
Author: Dolph Mathews <email address hidden>
Date: Mon Aug 24 19:23:09 2015 +0000

Show that unscoped tokens are revoked when deleting role assignments

    Unscoped tokens should, in fact, NOT be revoked when deleting role
    assignments, but this test demonstrates the opposite behavior to be the
    case.

Change-Id: Ie4c844b4c2c8dae5d9f6b01404fd153b8155870d
Partial-Bug: 1488208

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-11: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/216236
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9450cd9699c002adcdb8f64c95ffa2c002717568
Submitter: Jenkins
Branch: master

commit 9450cd9699c002adcdb8f64c95ffa2c002717568
Author: Dolph Mathews <email address hidden>
Date: Fri Aug 21 18:38:26 2015 +0000

Handle tokens created and quickly revoked with insufficient timestamp precision

    In the event that the revocation event is created at the exact same
    timestamp as the token's creation timestamp, the event's issued_before
    will equal the token's issued_at and will thus not be revoked (according
    to the current code).

    This is much more likely to occur when a token's issue_at timestamp is
    rounded to whole seconds (rather than carrying microsecond level
    precision), as they are with Fernet and MySQL.

    Change-Id: If1f5e546463f189a0b487140a620def545006c25
    Closes-Bug: 1484237
    Related-Bug: 1488208

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-11: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/216367
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5320b1a3358ada369d5db9aa68b6a07a36a82b1e
Submitter: Jenkins
Branch: master

commit 5320b1a3358ada369d5db9aa68b6a07a36a82b1e
Author: Dolph Mathews <email address hidden>
Date: Mon Aug 24 18:16:13 2015 +0000

Do not revoke all of a user's tokens when a role assignment is deleted

    Previously, an overly broad revocation event was being generated that
    matched all of a user's tokens -- not just those belonging to a
    user-project pair.

Change-Id: I52857029af21ac729f166b0e60aa9a38ffdc553a
Closes-Bug: 1488208

Dolph Mathews (dolph) on 2015-09-11

tags:

removed: kilo-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-11: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/222727

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-11: Related fix proposed to keystone (stable/kilo)

Related fix proposed to branch: stable/kilo
Review: https://review.openstack.org/222728

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-11: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/222729

Thierry Carrez (ttx) on 2015-09-22

Changed in keystone:
milestone:	none → liberty-rc1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-rc1 → 8.0.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-26: Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/222727
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=10613470f6b44bc4e1fd10b8b5629c4e0044b1fb
Submitter: Jenkins
Branch: stable/kilo

commit 10613470f6b44bc4e1fd10b8b5629c4e0044b1fb
Author: Dolph Mathews <email address hidden>
Date: Mon Aug 24 19:23:09 2015 +0000

Show that unscoped tokens are revoked when deleting role assignments

    Unscoped tokens should, in fact, NOT be revoked when deleting role
    assignments, but this test demonstrates the opposite behavior to be the
    case.

    Change-Id: Ie4c844b4c2c8dae5d9f6b01404fd153b8155870d
    Partial-Bug: 1488208
    (cherry picked from commit 5ced3c77430d9a0bd871d5387c9aadb9df1c0060)

tags:

added: in-stable-kilo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-01: Change abandoned on keystone (stable/kilo)

#10

Change abandoned by Steve Martinelli (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/222729
Reason: abandoning since it hasn't moved since september

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-01:

#11

Change abandoned by Steve Martinelli (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/222728
Reason: abandoning since it hasn't moved since september

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-27:

#12

Change abandoned by Dolph Mathews (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/222729

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-01-17:

#13

Kilo is EOL

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.