Persistent tokens are not cleaned up when removing users from projects
Bug #1700748 reported by
zhengliuyang
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Low
|
zhengliuyang |
Bug Description
If deleting a role, we should iterate over the assignments for this role and build the list of tokens we need to delete. In order to minimize the number of token list to delete, remove any redundant user+project deletions.
I think simplify the list for the same user is Improper, the same user and different project target different tokens. At the same time, original processing actually doesn't work due to user_ids is never added to.
Changed in keystone: | |
assignee: | nobody → zhengliuyang (zlyqqq) |
status: | New → In Progress |
Changed in keystone: | |
status: | Invalid → In Progress |
summary: |
- Improper handle building list of token deletion + Persistent tokens are not cleaned up when removing users from projects |
To post a comment you must log in.
I'm not sure which specific issue this report is highlighting. Is it a question of validating a token after a role has been deleted?
- a user get role x on project y
- a user gets a token scoped to project y
- role x is deleted
- a user attempts to validate the project scoped token
The last step in that flow should return a 401 since the user won't have a role on the project. Also, since the fernet token format is non-persistent, keystone isn't able to generate a list of tokens based on the role in the token.
Can you provide links to the code that you think needs to be improved?