OpenStack Identity (keystone)

Token operations fail when fernet key repository isn't writeable

  1. Series liberty
  2. Bug #1523664
Bug #1523664 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Undecided
Ron De Rose
Liberty
Fix Released
Undecided
Steve Martinelli

Bug Description

When using fernet tokens, I'm unable to get a token if the key_repository isn't writeable [0]. The main keystone process is only required to read keys from the key repository. The keystone-manage process must have write access to the key repository in order to bootstrap keys.

Keystone doesn't rely on write access in order to create tokens. The check for keystone shouldn't be dependent on it having write access, since it doesn't need it [1].

The write permissions should be kept when called from keystone-manage, but not when called from keystone.

mfisch and clayton from Time Warner Cable brought this to my attention and I was able to recreate.

[0] http://cdn.pasteraw.com/nng0up76dgy5b3naw0hw4bdabdkin84
[1] https://github.com/openstack/keystone/blob/56d3d76304a88baa3ff90e94e6bbd6d8d28e7dcf/keystone/token/providers/fernet/utils.py#L34-L36

See original description
Tags: fernet
Lance Bragstad (lbragstad)
tags: added: fernet
summary: - Unable to get token when fernet key repository isn't writeable
+ Token operations fail when fernet key repository isn't writeable
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Might be able to fix with something like - http://cdn.pasteraw.com/k6itk7dgxbuj5jf0s45s10clhfekl33

Lance Bragstad (lbragstad)
description: updated
Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
Navid Pustchi (npustchi)
Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → Navid Pustchi (npustchi)
assignee: Navid Pustchi (npustchi) → nobody
Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
Ron De Rose (ronald-de-rose)
Changed in keystone:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/256736

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/256736
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0aaa3ab1710c3bd9ca7800cc2156a483bd463a11
Submitter: Jenkins
Branch: master

commit 0aaa3ab1710c3bd9ca7800cc2156a483bd463a11
Author: Ron De Rose <email address hidden>
Date: Fri Dec 11 20:29:09 2015 +0000

    Changed the key repo validation to allow read only

    Fernet token operations would fail if the key respository did not
    have write access, even though it would only need read access.
    Added logic to validation to only check for read or read/write
    access based on what is required.

    Change-Id: I1ac8c3bd549055d5a13e0f5785dede42d710cf9d
    Closes-Bug: 1523664

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/314672

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Also backporting this to stable/liberty since that was also an affected release.

https://review.openstack.org/#/c/314672/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/liberty)

Reviewed: https://review.openstack.org/314672
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f811287beadab3c6d5ebdcae57ea6844284f72ea
Submitter: Jenkins
Branch: stable/liberty

commit f811287beadab3c6d5ebdcae57ea6844284f72ea
Author: Ron De Rose <email address hidden>
Date: Fri Dec 11 20:29:09 2015 +0000

    Changed the key repo validation to allow read only

    Fernet token operations would fail if the key respository did not
    have write access, even though it would only need read access.
    Added logic to validation to only check for read or read/write
    access based on what is required.

    Change-Id: I1ac8c3bd549055d5a13e0f5785dede42d710cf9d
    Closes-Bug: 1523664
    (cherry picked from commit 0aaa3ab1710c3bd9ca7800cc2156a483bd463a11)

Revision history for this message
xiexianbin (xiexianbin) wrote :

usefull for me

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/keystone 8.1.2

This issue was fixed in the openstack/keystone 8.1.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

This issue was fixed in the openstack/keystone 8.1.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.