Fernet trust token is still valid when trustee's domain is disabled.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lance Bragstad |
Bug Description
When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0], it was discovered by jorge_munoz in some of his testing. But, since this is an inconsistency between token providers - there was a case for breaking it out into it's own bug and it's own fix.
Steps to reproduce:
- Enable the Fernet token provider in the keystone.conf file
- Create domain A
- Create a user in domain A
- Create a project in domain A
- Grant the user in domain A a role on the project in domain A
- Create domain B
- Create a user in domain B
- As the user in domain A, create a trust with the user in domain B on the project in domain A
- As the user in domain B, get a project-scoped token using the trust
- As the admin, disable domain B (which is the trustee's domain)
- As the user in domain B, validate the trust-scoped token
This validation should return 404 Not Found, but instead it returns 200 OK. We have a patch in review that exposes the behavior for the Fernet provider [1].
[0] https:/
[1] https:/
tags: | added: fernet |
description: | updated |
description: | updated |
Changed in keystone: | |
importance: | Undecided → Medium |
summary: |
- Fernet trust token is still valid when user's domain is disabled. + Fernet trust token is still valid when trustee's domain is disabled. |
tags: | added: fernet |
description: | updated |
Changed in keystone: | |
milestone: | none → newton-2 |
Fix proposed to branch: master /review. openstack. org/265455
Review: https:/