Token invalidation on project delete doesn't take into inheritance into account

Bug #1513893 reported by Henry Nash on 2015-11-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Henry Nash

Bug Description

When we delete a project, we invalidate all the project tokens for any user who has a role on that project. The underlying assignment manager method used for this is list_user_ids_for_project(). This uses a driver method that just looks are direct assignments - and ignores any inherited or group role assignments any user may have on this project.

Henry Nash (henry-nash) on 2015-11-06
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)

Fix proposed to branch: master
Review: https://review.openstack.org/242564

Changed in keystone:
status: New → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/242574

tags: added: hierarchical-multitenancy
Changed in keystone:
importance: Undecided → Medium
Changed in keystone:
milestone: none → mitaka-2

Reviewed: https://review.openstack.org/242564
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=57999b564df2a663b24ae91c80d3bfd4a3b914d1
Submitter: Jenkins
Branch: master

commit 57999b564df2a663b24ae91c80d3bfd4a3b914d1
Author: Henry Nash <email address hidden>
Date: Fri Nov 6 16:57:11 2015 +0000

    Show defect in list_user_ids that only lists direct user assignments

    The assignment manager method list_user_ids_for_projects fails to
    honor either group or inherited assignments. Since this is used
    to generate token invalidations, we could be leaving tokens out there
    which should be killed.

    Change-Id: I96b2a1f10e3a5013f1151b6c38ddc75282b69c6f
    Partial-Bug: #1513893

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/242574
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1c40fe4c04fcb79a060a094b30f5d1e41e6c231f
Submitter: Jenkins
Branch: master

commit 1c40fe4c04fcb79a060a094b30f5d1e41e6c231f
Author: Henry Nash <email address hidden>
Date: Fri Nov 6 17:23:23 2015 +0000

    Fix defect in list_user_ids that only lists direct user assignments

    The assignment manager method list_user_ids_for_projects fails to
    honor either group or inherited assignments. Since this is used
    to generate token invalidations, we could be leaving tokens out there
    which should be killed.

    Co-Authored-By: Samuel de Medeiros Queiroz <email address hidden>

    Change-Id: I0ad41a635ea060be351a3cb37fb42e5ab46a40df
    Closes-Bug: #1513893

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers