OpenStack Identity (keystone)

  1. Bug #1524849
  2. Comment #8

Comment 8 for bug 1524849

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/257478
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c885eeed341fd2ebca8d7c0bec0c51b00df2f28e
Submitter: Jenkins
Branch: master

commit c885eeed341fd2ebca8d7c0bec0c51b00df2f28e
Author: Boris Bobrov <email address hidden>
Date: Mon Dec 14 19:42:43 2015 +0300

    Verify that user is trustee only on issuing token

    get_token_data is used to gather various data for token. One of the
    checks it does is verifying that the authenticated user is a trustee.
    Before Fernet, it was used during token issuing.

    Impersonation in trusts substitutes information about user in token,
    so instead of trustee, trustor is stored in token.

    With Fernet tokens, get_token_data is used during token validation.
    In case of impersonation, user_id, stored in Fernet token, is id of
    the trustor, but the check described needs this id to be id of the
    trustee.

    Move the check to happen only on token issuing.

    Change-Id: I7c02cc6a1dbfe4e28d390960ac85d4574759b1a8
    Closes-Bug: 1524849