Revoking a role revokes the unscoped token for a user

Bug #1511775 reported by Jeff Deville
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Medium
Unassigned

Bug Description

In Juno and Kilo, when a role is revoked from a user on a project, a callback is triggered that invalidates all of that user's tokens. I can see why we'd want to do that for scoped tokens. But by revoking the unscoped token as well, the user is forced to log out and log back in. It seems like the unscoped token should be left alone, since revoking a role is an authorization change, and the unscoped token is an authentication issue.

Tags: revoke
Revision history for this message
Dolph Mathews (dolph) wrote :

Assigning this to Jorge Munoz, who started working on a related patch at the OpenStack summit this week.

With Fernet, we can not bother revoking either of these tokens. Instead, the new role set is computed at token validation time, and the scoped token would only be invalid if it was the last remaining role the user had on the project. Otherwise, both tokens would remain valid and the scoped token would simply be missing the revoked role.

Changed in keystone:
assignee: nobody → Jorge Munoz (jorge-munoz)
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Jeff Deville (jeffdeville) wrote :

Excellent! That's a much more comprehensive solution! Thanks Dolph, Jorge.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/253273

tags: added: revoke
Revision history for this message
Steve Martinelli (stevemar) wrote :

Automatically unassigning due to inactivity.

Changed in keystone:
assignee: Jorge Munoz (jorge-munoz) → nobody
Changed in keystone:
assignee: nobody → Steve Martinelli (stevemar)
status: Triaged → In Progress
Changed in keystone:
assignee: Steve Martinelli (stevemar) → nobody
Revision history for this message
Lance Bragstad (lbragstad) wrote :

I've attempted to recreate this locally after we merged a fix [0] for a similar bug [1]. I was not able to recreate this with the latest code in master (eed29f236e251007093ae1fe29185eddbef8497d).

I'm going to close this, but feel free to continue using this report for discussion as necessary.

[0] https://github.com/openstack/keystone/commit/a103486efeefca821ac722cbad6fc31b2e3f133b
[1] https://bugs.launchpad.net/keystone/+bug/1662514

Changed in keystone:
status: In Progress → Invalid
Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Invalid → In Progress
Changed in keystone:
status: In Progress → Invalid
assignee: Lance Bragstad (lbragstad) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.