Activity log for bug #1541621

Date Who What changed Old value New value Message
2016-02-03 22:29:20 Guang Yee bug added bug
2016-02-08 07:00:25 Steve Martinelli keystone: milestone mitaka-3
2016-02-08 14:17:26 Lance Bragstad tags fernet
2016-02-08 14:23:46 Lance Bragstad summary Invalid subject fernet token should result in 404 instead of 401 Invalid fernet X-Subject-Token token should result in 404 instead of 401
2016-02-08 14:24:03 Lance Bragstad keystone: importance Undecided Medium
2016-02-08 14:45:19 Lance Bragstad keystone: status New Confirmed
2016-02-08 14:57:07 Lance Bragstad description When a scoped fernet token is no longer valid (i.e. all the roles had been removed from the scope), token validation should result in 404 instead of 401. According to Keystone V3 API spec, 401 is returned only if X-Auth-Token is invalid. Invalid X-Subject-Token should yield 404. Furthermore, auth_token middleware only treat 404 as invalid subject token and cache it accordingly. Improper 401 will cause unnecessary churn as middleware will repeatedly attempt to re-authenticate the service user. https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215 To reproduce the problem: 1. get a project scoped token 2. remove all the roles assigned to the user for that project 3. attempt to validate that project-scoped token will result in 401 When a scoped fernet token is no longer valid (i.e. all the roles had been removed from the scope), token validation should result in 404 instead of 401. According to Keystone V3 API spec, 401 is returned only if X-Auth-Token is invalid [0]. Invalid X-Subject-Token should yield 404. Furthermore, auth_token middleware only treat 404 as invalid subject token and cache it accordingly [1]. Improper 401 will cause unnecessary churn as middleware will repeatedly attempt to re-authenticate the service user. To reproduce the problem: 1. get a project scoped token 2. remove all the roles assigned to the user for that project 3. attempt to validate that project-scoped token will result in 401 [0] https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#401-unauthorized [1] https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215
2016-02-08 15:02:30 OpenStack Infra keystone: status Confirmed In Progress
2016-02-08 15:02:30 OpenStack Infra keystone: assignee Lance Bragstad (lbragstad)
2016-02-09 03:26:41 OpenStack Infra keystone: assignee Lance Bragstad (lbragstad) Steve Martinelli (stevemar)
2016-02-09 04:14:12 Steve Martinelli keystone: assignee Steve Martinelli (stevemar) Lance Bragstad (lbragstad)
2016-02-24 21:13:08 OpenStack Infra keystone: assignee Lance Bragstad (lbragstad) Raildo Mascena de Sousa Filho (raildo)
2016-02-26 01:55:45 OpenStack Infra keystone: assignee Raildo Mascena de Sousa Filho (raildo) Guang Yee (guang-yee)
2016-02-29 04:11:27 OpenStack Infra keystone: assignee Guang Yee (guang-yee) Lance Bragstad (lbragstad)
2016-02-29 04:43:13 OpenStack Infra keystone: assignee Lance Bragstad (lbragstad) Guang Yee (guang-yee)
2016-03-01 08:23:20 OpenStack Infra keystone: assignee Guang Yee (guang-yee) Steve Martinelli (stevemar)
2016-03-01 08:23:42 Steve Martinelli keystone: assignee Steve Martinelli (stevemar) Guang Yee (guang-yee)
2016-03-01 17:18:32 Steve Martinelli keystone: milestone mitaka-3 mitaka-rc1
2016-03-01 20:23:10 OpenStack Infra keystone: assignee Guang Yee (guang-yee) Lance Bragstad (lbragstad)
2016-03-03 11:22:05 OpenStack Infra keystone: status In Progress Fix Released
2016-03-04 23:18:06 Guang Yee nominated for series keystone/liberty
2016-03-04 23:18:06 Guang Yee bug task added keystone/liberty
2016-03-05 00:36:46 OpenStack Infra keystone/liberty: status New In Progress
2016-03-05 00:36:46 OpenStack Infra keystone/liberty: assignee Guang Yee (guang-yee)
2016-05-17 08:04:14 OpenStack Infra keystone/liberty: status In Progress Fix Committed
2016-06-07 14:57:45 Samuel de Medeiros Queiroz keystone/liberty: importance Undecided Medium
2016-06-09 17:23:19 OpenStack Infra tags fernet fernet in-stable-mitaka
2017-01-17 19:54:58 Morgan Fainberg keystone/liberty: status Fix Committed Fix Released