commit c885eeed341fd2ebca8d7c0bec0c51b00df2f28e
Author: Boris Bobrov <email address hidden>
Date: Mon Dec 14 19:42:43 2015 +0300
Verify that user is trustee only on issuing token
get_token_data is used to gather various data for token. One of the
checks it does is verifying that the authenticated user is a trustee.
Before Fernet, it was used during token issuing.
Impersonation in trusts substitutes information about user in token,
so instead of trustee, trustor is stored in token.
With Fernet tokens, get_token_data is used during token validation.
In case of impersonation, user_id, stored in Fernet token, is id of
the trustor, but the check described needs this id to be id of the
trustee.
Reviewed: https:/ /review. openstack. org/257478 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=c885eeed341 fd2ebca8d7c0bec 0c51b00df2f28e
Committed: https:/
Submitter: Jenkins
Branch: master
commit c885eeed341fd2e bca8d7c0bec0c51 b00df2f28e
Author: Boris Bobrov <email address hidden>
Date: Mon Dec 14 19:42:43 2015 +0300
Verify that user is trustee only on issuing token
get_token_data is used to gather various data for token. One of the
checks it does is verifying that the authenticated user is a trustee.
Before Fernet, it was used during token issuing.
Impersonation in trusts substitutes information about user in token,
so instead of trustee, trustor is stored in token.
With Fernet tokens, get_token_data is used during token validation.
In case of impersonation, user_id, stored in Fernet token, is id of
the trustor, but the check described needs this id to be id of the
trustee.
Move the check to happen only on token issuing.
Change-Id: I7c02cc6a1dbfe4 e28d390960ac85d 4574759b1a8
Closes-Bug: 1524849