Lack of documentation for validating expired tokens with service users

Bug #1779889 reported by Lance Bragstad on 2018-07-03
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Kristi Nikolla

Bug Description

Keystone supports the ability for service users to validate expired user tokens. This solved an issue where a user would initiate a long-running operation (e.g. live migration, instance back-ups, uploading large images to glance), and by the time the operation finished the user's token would be invalid, causing the operation to fail.

The solution to this problem is to use service users and configure them in such a way that they have the ability to validate expired user tokens. This keeps enforcement of the user's authorization valid when they start the operation but allows the operation to finish in the event it takes longer than the configured token expiration time.

We don't supply any documentation for this process or setting it up outside of the original specification [0]. If deployers want to use it, they have to dig through code to figure out how it work.

The lack of documentation was brought to our attention in IRC [1].

[0] https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/implemented/service-tokens.html
[1] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-07-03.log.html#t2018-07-03T14:43:49

description: updated
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
tags: added: documentation low-hanging-fruit office-hours
Colleen Murphy (krinkle) wrote :

Additional source of information to refer to when writing the documentation: https://docs.openstack.org/releasenotes/keystonemiddleware/ocata.html

Irina Anyusheva (anyushevai) wrote :

Hi! I would like to work on this if this issue is not assigned to anyone.

Colleen Murphy (krinkle) wrote :

Please go ahead and assign yourself, Irina.

Changed in keystone:
assignee: nobody → Irina Anyusheva (anyushevai)
Irina Anyusheva (anyushevai) wrote :

Hi!
Please review https://review.openstack.org/#/c/614871/

Looking forward to any feedback!

Changed in keystone:
status: Triaged → In Progress
Colleen Murphy (krinkle) wrote :

Irina, as this is a bug for keystone could you address this in the keystone docs instead of the security guide docs? The code is here: http://git.openstack.org/cgit/openstack/keystone

In addition, if you add Closes-bug: #1779889 to your commit message it will automatically link the patch with this bug.

Fix proposed to branch: master
Review: https://review.openstack.org/631110

Changed in keystone:
assignee: Irina Anyusheva (anyushevai) → Kristi Nikolla (knikolla)

Reviewed: https://review.openstack.org/631110
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f471879b82d08316846e7e4a0ff75c4b3b90dabf
Submitter: Zuul
Branch: master

commit f471879b82d08316846e7e4a0ff75c4b3b90dabf
Author: Kristi Nikolla <email address hidden>
Date: Tue Jan 15 20:47:38 2019 -0500

    Add documentation for service tokens

    Updated documentation to include explanation and configuration
    settings for service tokens.

    Change-Id: I8a518614302e17be6dfc8d88dee5efe27a89edb0
    Closes-Bug: #1779889

Changed in keystone:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers