2016-01-08 17:43:27 |
Lance Bragstad |
bug |
|
|
added bug |
2016-01-08 17:43:34 |
Lance Bragstad |
tags |
|
fernet |
|
2016-01-08 17:45:33 |
Lance Bragstad |
description |
When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0]. But, since this is an inconsistency - there was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a proper token validation is returned.
[0] https://review.openstack.org/#/c/253273/27 |
When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0]. But, since this is an inconsistency - there was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Modify the keystone config to issue Fernet tokens
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a proper token validation is returned.
[0] https://review.openstack.org/#/c/253273/27 |
|
2016-01-08 17:47:01 |
Lance Bragstad |
description |
When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0]. But, since this is an inconsistency - there was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Modify the keystone config to issue Fernet tokens
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a proper token validation is returned.
[0] https://review.openstack.org/#/c/253273/27 |
When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0], it was discovered by jorge_munoz in some of his testing. But, since this is an inconsistency between token providers - there was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Modify the keystone config to issue Fernet tokens
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a proper token validation is returned.
[0] https://review.openstack.org/#/c/253273/27 |
|
2016-01-08 21:43:41 |
OpenStack Infra |
keystone: status |
New |
In Progress |
|
2016-01-08 21:43:41 |
OpenStack Infra |
keystone: assignee |
|
Lance Bragstad (lbragstad) |
|
2016-01-13 13:48:46 |
Dolph Mathews |
keystone: importance |
Undecided |
Medium |
|
2016-01-13 16:02:01 |
Lance Bragstad |
summary |
Fernet trust token is still valid when user's domain is disabled. |
Fernet trust token is still valid when trustee's domain is disabled. |
|
2016-03-18 22:13:10 |
Thomas Hsiao |
bug |
|
|
added subscriber Thomas Hsiao |
2016-07-07 13:50:08 |
Lance Bragstad |
tags |
fernet |
|
|
2016-07-07 15:08:10 |
Lance Bragstad |
tags |
|
fernet |
|
2016-07-07 15:14:32 |
Lance Bragstad |
description |
When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0], it was discovered by jorge_munoz in some of his testing. But, since this is an inconsistency between token providers - there was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce
- Modify the keystone config to issue Fernet tokens
- Create two new domains
- Create two new users
- As the trustor, create a trust between the users
- As the trustee, get a trust-scoped Fernet token using the trust
- As the admin, disable the trustee's domain
- As the trustee, valid the token
The token validation in the last step should return a 401, instead a proper token validation is returned.
[0] https://review.openstack.org/#/c/253273/27 |
When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0], it was discovered by jorge_munoz in some of his testing. But, since this is an inconsistency between token providers - there was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce:
- Enable the Fernet token provider in the keystone.conf file
- Create domain A
- Create a user in domain A
- Create a project in domain A
- Grant the user in domain A a role on the project in domain A
- Create domain B
- Create a user in domain B
- As the user in domain A, create a trust with the user in domain B on the project in domain A
- As the user in domain B, get a project-scoped token using the trust
- As the admin, disable domain B (which is the trustee's domain)
- As the user in domain B, validate the trust-scoped token
This validation should return 404 Not Found, but instead it returns 200 OK. We have a patch in review that exposes the behavior for the Fernet provider [1].
[0] https://review.openstack.org/#/c/253273/27
[1] https://review.openstack.org/#/c/265455/4 |
|
2016-07-07 20:55:45 |
Steve Martinelli |
keystone: milestone |
|
newton-2 |
|
2016-07-09 03:37:25 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|