| 2015-12-07 20:33:57 |
Lance Bragstad |
bug |
|
|
added bug |
| 2015-12-07 20:34:04 |
Lance Bragstad |
tags |
|
fernet |
|
| 2015-12-07 20:34:40 |
Lance Bragstad |
summary |
Unable to get token when fernet key repository isn't writeable |
Token operations fail when fernet key repository isn't writeable |
|
| 2015-12-09 16:07:46 |
Lance Bragstad |
description |
When using fernet tokens, I'm unable to get a token if the key_repository isn't writeable [0]. The main keystone process is only required to read keys from the key repository. The keystone-manage process must have write access to the key repository in order to bootstrap keys.
Keystone doesn't rely on write access in order to create tokens. The check for keystone shouldn't be dependent on it having write access, since it doesn't need it [1].
The write permissions should be kept when called from keystone-manage, but not when called from keystone.
[0] http://cdn.pasteraw.com/nng0up76dgy5b3naw0hw4bdabdkin84
[1] https://github.com/openstack/keystone/blob/56d3d76304a88baa3ff90e94e6bbd6d8d28e7dcf/keystone/token/providers/fernet/utils.py#L34-L36 |
When using fernet tokens, I'm unable to get a token if the key_repository isn't writeable [0]. The main keystone process is only required to read keys from the key repository. The keystone-manage process must have write access to the key repository in order to bootstrap keys.
Keystone doesn't rely on write access in order to create tokens. The check for keystone shouldn't be dependent on it having write access, since it doesn't need it [1].
The write permissions should be kept when called from keystone-manage, but not when called from keystone.
mfisch and clayton from Time Warner Cable brought this to my attention and I was able to recreate.
[0] http://cdn.pasteraw.com/nng0up76dgy5b3naw0hw4bdabdkin84
[1] https://github.com/openstack/keystone/blob/56d3d76304a88baa3ff90e94e6bbd6d8d28e7dcf/keystone/token/providers/fernet/utils.py#L34-L36 |
|
| 2015-12-09 16:47:26 |
Ron De Rose |
keystone: assignee |
|
Ron De Rose (ronald-de-rose) |
|
| 2015-12-09 16:51:55 |
Navid Pustchi |
keystone: assignee |
Ron De Rose (ronald-de-rose) |
Navid Pustchi (npustchi) |
|
| 2015-12-09 16:52:00 |
Navid Pustchi |
keystone: assignee |
Navid Pustchi (npustchi) |
|
|
| 2015-12-09 16:53:54 |
Ron De Rose |
keystone: assignee |
|
Ron De Rose (ronald-de-rose) |
|
| 2015-12-10 19:34:38 |
Ron De Rose |
keystone: status |
New |
Confirmed |
|
| 2015-12-11 20:35:54 |
OpenStack Infra |
keystone: status |
Confirmed |
In Progress |
|
| 2015-12-15 02:44:37 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|
| 2016-05-10 17:52:50 |
Lance Bragstad |
nominated for series |
|
keystone/liberty |
|
| 2016-05-10 17:52:50 |
Lance Bragstad |
bug task added |
|
keystone/liberty |
|
| 2016-05-10 17:52:59 |
Lance Bragstad |
keystone/liberty: status |
New |
In Progress |
|
| 2016-05-10 17:53:02 |
Lance Bragstad |
keystone/liberty: assignee |
|
Lance Bragstad (lbragstad) |
|
| 2016-05-10 21:10:25 |
OpenStack Infra |
keystone/liberty: assignee |
Lance Bragstad (lbragstad) |
Steve Martinelli (stevemar) |
|
| 2016-05-11 05:44:05 |
OpenStack Infra |
keystone/liberty: status |
In Progress |
Fix Committed |
|
| 2016-05-26 20:59:48 |
Steve Martinelli |
keystone/liberty: status |
Fix Committed |
Fix Released |
|
