OpenStack Identity (keystone)

Persistent tokens are not cleaned up when removing users from projects

Bug #1700748 reported by zhengliuyang on 2017-06-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Low	zhengliuyang

Bug Description

If deleting a role, we should iterate over the assignments for this role and build the list of tokens we need to delete. In order to minimize the number of token list to delete, remove any redundant user+project deletions.

I think simplify the list for the same user is Improper, the same user and different project target different tokens. At the same time, original processing actually doesn't work due to user_ids is never added to.

OpenStack Infra (hudson-openstack) on 2017-06-27

Changed in keystone:
assignee:	nobody → zhengliuyang (zlyqqq)
status:	New → In Progress

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-06-27:

I'm not sure which specific issue this report is highlighting. Is it a question of validating a token after a role has been deleted?

- a user get role x on project y
- a user gets a token scoped to project y
- role x is deleted
- a user attempts to validate the project scoped token

The last step in that flow should return a 401 since the user won't have a role on the project. Also, since the fernet token format is non-persistent, keystone isn't able to generate a list of tokens based on the role in the token.

Can you provide links to the code that you think needs to be improved?

Changed in keystone:
status:	In Progress → Invalid

OpenStack Infra (hudson-openstack) on 2017-10-12

Changed in keystone:
status:	Invalid → In Progress

Lance Bragstad (lbragstad) on 2017-10-13

summary:

- Improper handle building list of token deletion
+ Persistent tokens are not cleaned up when removing users from projects

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-10-13:

I was able to recreate this by doing the following:

- switch to using the uuid token provider
- as an admin, create a user and assign them a role on a project
- generate some tokens using the new user
- confirm that the tokens exist in the backend
- as an admin, remove the user from the project
- attempt to validate the users token (should result in a 404)
- confirm the invalidated tokens are still in the backend

The tokens are considered invalid because we rely on token validation to rebuild the users assignments for the token. If the user doesn't have any valid role assignments on the project in question, the token is considered invalid.

If there is an issue with this flow it's that keystone leaves invalid tokens in the backend (which causes bloat). From an API perspective, things are working as designed. This is limited to only token providers that require persistent storage, so UUID.

Changed in keystone:
importance:	Undecided → Low

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-02-21:

Now that we're in the Rocky development cycle, we've removed the uuid token provider and the sql token storage driver, since it was slated for removal this release [0].

[0] https://review.openstack.org/#/c/543060/

Changed in keystone:
status:	In Progress → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-02: Change abandoned on keystone (master)

Change abandoned by zhengliuyang (hfzhengliuyang@163.com) on branch: master
Review: https://review.openstack.org/475100

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.