Token operations fail when fernet key repository isn't writeable

Bug #1523664 reported by Lance Bragstad on 2015-12-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Ron De Rose
Liberty
Undecided
Steve Martinelli

Bug Description

When using fernet tokens, I'm unable to get a token if the key_repository isn't writeable [0]. The main keystone process is only required to read keys from the key repository. The keystone-manage process must have write access to the key repository in order to bootstrap keys.

Keystone doesn't rely on write access in order to create tokens. The check for keystone shouldn't be dependent on it having write access, since it doesn't need it [1].

The write permissions should be kept when called from keystone-manage, but not when called from keystone.

mfisch and clayton from Time Warner Cable brought this to my attention and I was able to recreate.

[0] http://cdn.pasteraw.com/nng0up76dgy5b3naw0hw4bdabdkin84
[1] https://github.com/openstack/keystone/blob/56d3d76304a88baa3ff90e94e6bbd6d8d28e7dcf/keystone/token/providers/fernet/utils.py#L34-L36

tags: added: fernet
summary: - Unable to get token when fernet key repository isn't writeable
+ Token operations fail when fernet key repository isn't writeable
Lance Bragstad (lbragstad) wrote :

Might be able to fix with something like - http://cdn.pasteraw.com/k6itk7dgxbuj5jf0s45s10clhfekl33

description: updated
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
Navid Pustchi (npustchi) on 2015-12-09
Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → Navid Pustchi (npustchi)
assignee: Navid Pustchi (npustchi) → nobody
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
Changed in keystone:
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/256736

Changed in keystone:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/256736
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0aaa3ab1710c3bd9ca7800cc2156a483bd463a11
Submitter: Jenkins
Branch: master

commit 0aaa3ab1710c3bd9ca7800cc2156a483bd463a11
Author: Ron De Rose <email address hidden>
Date: Fri Dec 11 20:29:09 2015 +0000

    Changed the key repo validation to allow read only

    Fernet token operations would fail if the key respository did not
    have write access, even though it would only need read access.
    Added logic to validation to only check for read or read/write
    access based on what is required.

    Change-Id: I1ac8c3bd549055d5a13e0f5785dede42d710cf9d
    Closes-Bug: 1523664

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

Lance Bragstad (lbragstad) wrote :

Also backporting this to stable/liberty since that was also an affected release.

https://review.openstack.org/#/c/314672/

Reviewed: https://review.openstack.org/314672
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f811287beadab3c6d5ebdcae57ea6844284f72ea
Submitter: Jenkins
Branch: stable/liberty

commit f811287beadab3c6d5ebdcae57ea6844284f72ea
Author: Ron De Rose <email address hidden>
Date: Fri Dec 11 20:29:09 2015 +0000

    Changed the key repo validation to allow read only

    Fernet token operations would fail if the key respository did not
    have write access, even though it would only need read access.
    Added logic to validation to only check for read or read/write
    access based on what is required.

    Change-Id: I1ac8c3bd549055d5a13e0f5785dede42d710cf9d
    Closes-Bug: 1523664
    (cherry picked from commit 0aaa3ab1710c3bd9ca7800cc2156a483bd463a11)

xiexianbin (xiexianbin) wrote :

usefull for me

This issue was fixed in the openstack/keystone 8.1.2 release.

This issue was fixed in the openstack/keystone 8.1.2 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers