OpenStack Identity (keystone)

  1. Bug #1532280
  2. Comment #9

Comment 9 for bug 1532280

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/339176
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d53db1889e17d493202743246243936af90234b9
Submitter: Jenkins
Branch: master

commit d53db1889e17d493202743246243936af90234b9
Author: Lance Bragstad <email address hidden>
Date: Thu Jul 7 18:32:11 2016 +0000

    Fix fernet token validate for disabled domains/trusts

    This commit adds a check when rebuilding the authorization context of a
    trust-scoped token to make sure that both the trustor and the trustee are in
    enabled domains. With this patch the uuid token provider and the fernet token
    provider give the same response when caching is disabled. If caching is
    enabled, the fernet provider will still consider a trust-scoped token valid
    even though the trustor/trustee is in a disabled domain. A subsequent patch
    will fix the revocation event to make sure the token is removed from the cache
    when a domain is disabled.

    Change-Id: If3e941018d5c2c9bd22397e69f83b7bf92643340
    Partial-Bug: 1532280