Revocation API is used in places where where it doesn't need to be

Bug #1671887 reported by Lance Bragstad on 2017-03-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Unassigned

Bug Description

Since keystone now validates UUID and Fernet tokens the same way - by rebuilding the token context at validation time, we no longer need to persist certain types of revocation events.

For example, a revocation event is persisted when a role is deleted. This is no longer needed because the invalidation happens by design of the token provider.

Opening this bug so that we can track those cases and remove them.

- revoking when a user is removed from a project
- revoking when a role is deleted

Changed in keystone:
status: New → Confirmed
importance: Undecided → Low

Fix proposed to branch: master
Review: https://review.openstack.org/444424

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Confirmed → In Progress
Richard (csravelar) on 2017-03-10
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Richard (csravelar)

Fix proposed to branch: master
Review: https://review.openstack.org/447562

Changed in keystone:
assignee: Richard (csravelar) → Lance Bragstad (lbragstad)

Fix proposed to branch: master
Review: https://review.openstack.org/447564

Fix proposed to branch: master
Review: https://review.openstack.org/447573

Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Richard (csravelar)
description: updated

Fix proposed to branch: master
Review: https://review.openstack.org/448615

Reviewed: https://review.openstack.org/447549
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9f8e412e49e469c84d098cd012e1e6f62c4a2f17
Submitter: Jenkins
Branch: master

commit 9f8e412e49e469c84d098cd012e1e6f62c4a2f17
Author: Ubuntu <email address hidden>
Date: Mon Mar 20 15:24:30 2017 +0000

    Don't persist rev event when deleting access token

    This is no longer needed since the token provider API will
    rebuild the token context at validation time. The revocation event
    is not needed and we no longer need to store it.

    Change-Id: I4dc766981a29b0afd0a44718c1c5d81155163982
    partial-bug: 1671887

Reviewed: https://review.openstack.org/444424
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=939881b77fa1ad8546101dc5b8aed126e0127179
Submitter: Jenkins
Branch: master

commit 939881b77fa1ad8546101dc5b8aed126e0127179
Author: Lance Bragstad <email address hidden>
Date: Fri Mar 10 17:20:38 2017 +0000

    Don't persist revocation events when deleting a role

    This is no longer needed since the token provider API will
    rebuild the token context at validation time. The revocation event
    is not needed and we no longer need to store it.

    Change-Id: I91315f620534974ab1102d693fbdff45e4ae8887
    partial-bug: 1671887

Reviewed: https://review.openstack.org/447562
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6ed141a57cb75a3b22f8b47809203e6cae09da10
Submitter: Jenkins
Branch: master

commit 6ed141a57cb75a3b22f8b47809203e6cae09da10
Author: Lance Bragstad <email address hidden>
Date: Mon Mar 20 15:46:09 2017 +0000

    Remove unnecessary revocation events

    Previously we stored revocation events when a user's membership to a
    project was removed. This is no longer needed since all supported
    token providers in keystone validate tokens by rebuilding them at
    validation time.

    This commit removes logic from the assignment API that persists
    revocation events. It also removes the dependency the assignment API
    has on the revocation API, since it is no long needed.

    Change-Id: Ic8861f239ad0af1551c1f82105665c569bbdac9d
    partial-bug: 1671887

Reviewed: https://review.openstack.org/448186
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=890b1d43251302e7ad65a1c2171d76a67dff01f0
Submitter: Jenkins
Branch: master

commit 890b1d43251302e7ad65a1c2171d76a67dff01f0
Author: Richard Avelar <email address hidden>
Date: Tue Mar 21 16:27:46 2017 +0000

    Remove unnecessary revocation events

    With [0], we no longer need role_assignment callback. It isn't being
    used anywhere and token providers rebuild tokens at validation time.
    Some links to show test coverage for role_assignment:
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_auth.py#L526-L553
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_auth.py#L2993
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_auth.py#L3179
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_auth.py#L3329
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_auth.py#L3610
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_assignment.py#L31-L33

    [0]: https://review.openstack.org/#/c/447562/

    Change-Id: If690c8ff8466e8568a8c9dc4463f341adb675630
    partial-bug: 1671887

Reviewed: https://review.openstack.org/448192
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=07966bbee4e2e3062303c7fa25510e43ab091490
Submitter: Jenkins
Branch: master

commit 07966bbee4e2e3062303c7fa25510e43ab091490
Author: Richard Avelar <email address hidden>
Date: Tue Mar 21 16:38:22 2017 +0000

    Remove unnecessary revocation events revoke grant

    With [1], we no longer need revoke_by_grant callback. It isn't being
    used anywhere and token providers rebuild tokens at validation time.

    [1]: https://review.openstack.org/#/c/447562/

    Change-Id: I4e7e2f29d3db0eb8486173d4fb9134d61aab6dab
    partial-bug: 1671887

Changed in keystone:
assignee: Richard (csravelar) → Steve Martinelli (stevemar)

Reviewed: https://review.openstack.org/448613
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=259d4d4179f708969c200e00729b4b15e741ed73
Submitter: Jenkins
Branch: master

commit 259d4d4179f708969c200e00729b4b15e741ed73
Author: Richard Avelar <email address hidden>
Date: Wed Mar 22 14:35:14 2017 +0000

    Remove unused revoke_by_project_role_assignment

    This patch removes a method that wasn't being used anymore anywhere
    except for a single unit test. In addition, we no longer need to store
    the revocation event when the token provider API will rebuild the
    token context at validation time, and this revocation method isn't being
    exposed to an external API.

    Among some of the test coverage for this can be found here:
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_auth.py#L2030-L2060

    Change-Id: Ie92b238b0968a23bca3f0f57879369ea74298b8d
    partial-bug: 1671887

Reviewed: https://review.openstack.org/448615
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=14ff6e467ec0701da2800edd423d42d226020745
Submitter: Jenkins
Branch: master

commit 14ff6e467ec0701da2800edd423d42d226020745
Author: Richard Avelar <email address hidden>
Date: Wed Mar 22 14:46:25 2017 +0000

    Remove unused revoke_by_domain_role_assignment

    This patch removes a method that wasn't being used anymore anywhere
    except for a single unit test. In addition, we no longer need to store
    the revocation event when the token provider API will rebuild the
    token context at validation time. Some of the test coverage for this
    behavior can be located here:
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_assignment.py#L1175-L1177
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_assignment.py#L1191-L1193
    https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_assignment.py#L1311

    Change-Id: I1ee53f15ec6b2dae10bfbd0fc3435e018f26f04b
    partial-bug: 1671887

Reviewed: https://review.openstack.org/447564
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5da9d11e46d5e75b11b3c3cda25ce72f23eb798c
Submitter: Jenkins
Branch: master

commit 5da9d11e46d5e75b11b3c3cda25ce72f23eb798c
Author: Lance Bragstad <email address hidden>
Date: Mon Mar 20 15:55:19 2017 +0000

    Remove revocation API dependency from resource API

    The revocation API was listed as a dependency of the resource API,
    but it was never used. If it was no longer being used, we shouldn't
    make the resource API load it.

    Change-Id: Ia70064dce20a0bebf7b31a6b895ea0e5a0248480
    partial-bug: 1671887

Reviewed: https://review.openstack.org/447573
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b4cef3de502cd13cf44b7fc005003d7297706990
Submitter: Jenkins
Branch: master

commit b4cef3de502cd13cf44b7fc005003d7297706990
Author: Lance Bragstad <email address hidden>
Date: Mon Mar 20 16:04:36 2017 +0000

    Remove revocation API dependency from identity API

    The revocation API was listed as a dependency of the identity API,
    but it was never used. If it was no longer being used, we shouldn't
    make the identity API load it.

    Change-Id: I8137b1e9f7058572c1cf8de2ead4d5b42212f098
    partial-bug: 1671887

Changed in keystone:
assignee: Steve Martinelli (stevemar) → Richard (csravelar)
Dolph Mathews (dolph) on 2017-04-05
tags: added: performance

Reviewed: https://review.openstack.org/451452
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5323ee7802e4913f1bcac9e3d77d45a1734dd690
Submitter: Jenkins
Branch: master

commit 5323ee7802e4913f1bcac9e3d77d45a1734dd690
Author: Richard Avelar <email address hidden>
Date: Wed Mar 29 15:06:18 2017 +0000

    Remove unused revocation check in revoke_models

    This patch addresses [1] by removing the corresponding check in
    revocation models. There is no longer a need to check a token against
    the revocation table for access_token when we no longer persist them
    in a revocation event. This is due to token providers handling this
    when rebuilding a token at validation time.

    [1]: I4dc766981a29b0afd0a44718c1c5d81155163982
    partial-bug: 1671887

    Change-Id: I5a50ab9cdca64005e1e4a6738ee6a8accf458ed8

Lance Bragstad (lbragstad) wrote :

Automatically unassigning due to inactivity.

Changed in keystone:
assignee: Richard (csravelar) → nobody
status: In Progress → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers