OpenStack Identity (keystone)

Token invalidation on project delete doesn't take into inheritance into account

Bug #1513893 reported by Henry Nash
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Henry Nash
OpenStack Identity (keystone) mitaka-2 "m2"

Bug Description

When we delete a project, we invalidate all the project tokens for any user who has a role on that project. The underlying assignment manager method used for this is list_user_ids_for_project(). This uses a driver method that just looks are direct assignments - and ignores any inherited or group role assignments any user may have on this project.

Henry Nash (henry-nash)
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/242564

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/242574

Lin Hua Cheng (lin-hua-cheng)
tags: added: hierarchical-multitenancy
Steve Martinelli (stevemar)
Changed in keystone:
importance: Undecided → Medium
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → mitaka-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/242564
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=57999b564df2a663b24ae91c80d3bfd4a3b914d1
Submitter: Jenkins
Branch: master

commit 57999b564df2a663b24ae91c80d3bfd4a3b914d1
Author: Henry Nash <email address hidden>
Date: Fri Nov 6 16:57:11 2015 +0000

    Show defect in list_user_ids that only lists direct user assignments

    The assignment manager method list_user_ids_for_projects fails to
    honor either group or inherited assignments. Since this is used
    to generate token invalidations, we could be leaving tokens out there
    which should be killed.

    Change-Id: I96b2a1f10e3a5013f1151b6c38ddc75282b69c6f
    Partial-Bug: #1513893

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/242574
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1c40fe4c04fcb79a060a094b30f5d1e41e6c231f
Submitter: Jenkins
Branch: master

commit 1c40fe4c04fcb79a060a094b30f5d1e41e6c231f
Author: Henry Nash <email address hidden>
Date: Fri Nov 6 17:23:23 2015 +0000

    Fix defect in list_user_ids that only lists direct user assignments

    The assignment manager method list_user_ids_for_projects fails to
    honor either group or inherited assignments. Since this is used
    to generate token invalidations, we could be leaving tokens out there
    which should be killed.

    Co-Authored-By: Samuel de Medeiros Queiroz <email address hidden>

    Change-Id: I0ad41a635ea060be351a3cb37fb42e5ab46a40df
    Closes-Bug: #1513893

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.