Cannot use trusts with fernet tokens

Bug #1524849 reported by Kairat Kushaev on 2015-12-10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Boris Bobrov

Bug Description

Master, devstack (installed today).
1. Enable fernet tokens in Keystone
2. Add the following lib to glance/common/ folder:
3. Replace upload method in glance/api/v2/ with the following:
NOTE: it is just example of the code to demonstrate that fernet tokens can't work well with trusts.
4. Restart glance
5. Try to upload any image.
You will get the following error when deleting the trust:
When you try to upload big image that requires more than hour (or reduce token expiration)
you will get the following:
Apparently, refreshed token rejected by keystone-middleware.

I faced with the issue when implementing trusts for Glance but it seems that Heat and other services have the same troubles.
UUID tokens works as expected.

summary: - Cannot delete trust when using fernet tokens
+ Cannot use trusts with fernet tokens
Brant Knudson (blk-u) on 2015-12-10
tags: added: fernet
Lance Bragstad (lbragstad) wrote :


Are you able to post the output from the keystone server logs (preferably with debug and verbose set to true)?

Alexander Makarov (amakarov) wrote :

Looks like trustee cannot delete the trust using Fernet token.

Kairat Kushaev (kkushaev) wrote : - here is "key" screen output - key-access
Please let me know if you need something else.

Kairat Kushaev (kkushaev) wrote :

FYI, looks like Sahara, Murano, Heat is broken with the same error.
If you turn on fernets and execute some long-running operation then 503 error is raised by keystone middleware.

Fix proposed to branch: master

Changed in keystone:
assignee: nobody → Boris Bobrov (bbobrov)
status: New → In Progress
Boris Bobrov (bbobrov) wrote :

This happens only when impersonate=True

Dolph Mathews (dolph) on 2015-12-14
Changed in keystone:
importance: Undecided → Medium
Changed in keystone:
milestone: none → mitaka-2

Submitter: Jenkins
Branch: master

commit c885eeed341fd2ebca8d7c0bec0c51b00df2f28e
Author: Boris Bobrov <email address hidden>
Date: Mon Dec 14 19:42:43 2015 +0300

    Verify that user is trustee only on issuing token

    get_token_data is used to gather various data for token. One of the
    checks it does is verifying that the authenticated user is a trustee.
    Before Fernet, it was used during token issuing.

    Impersonation in trusts substitutes information about user in token,
    so instead of trustee, trustor is stored in token.

    With Fernet tokens, get_token_data is used during token validation.
    In case of impersonation, user_id, stored in Fernet token, is id of
    the trustor, but the check described needs this id to be id of the

    Move the check to happen only on token issuing.

    Change-Id: I7c02cc6a1dbfe4e28d390960ac85d4574759b1a8
    Closes-Bug: 1524849

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers