| 2016-02-03 22:29:20 |
Guang Yee |
bug |
|
|
added bug |
| 2016-02-08 07:00:25 |
Steve Martinelli |
keystone: milestone |
|
mitaka-3 |
|
| 2016-02-08 14:17:26 |
Lance Bragstad |
tags |
|
fernet |
|
| 2016-02-08 14:23:46 |
Lance Bragstad |
summary |
Invalid subject fernet token should result in 404 instead of 401 |
Invalid fernet X-Subject-Token token should result in 404 instead of 401 |
|
| 2016-02-08 14:24:03 |
Lance Bragstad |
keystone: importance |
Undecided |
Medium |
|
| 2016-02-08 14:45:19 |
Lance Bragstad |
keystone: status |
New |
Confirmed |
|
| 2016-02-08 14:57:07 |
Lance Bragstad |
description |
When a scoped fernet token is no longer valid (i.e. all the roles had been removed from the scope), token validation should result in 404 instead of 401. According to Keystone V3 API spec, 401 is returned only if X-Auth-Token is invalid. Invalid X-Subject-Token should yield 404. Furthermore, auth_token middleware only treat 404 as invalid subject token and cache it accordingly. Improper 401 will cause unnecessary churn as middleware will repeatedly attempt to re-authenticate the service user.
https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215
To reproduce the problem:
1. get a project scoped token
2. remove all the roles assigned to the user for that project
3. attempt to validate that project-scoped token will result in 401 |
When a scoped fernet token is no longer valid (i.e. all the roles had been removed from the scope), token validation should result in 404 instead of 401. According to Keystone V3 API spec, 401 is returned only if X-Auth-Token is invalid [0]. Invalid X-Subject-Token should yield 404. Furthermore, auth_token middleware only treat 404 as invalid subject token and cache it accordingly [1]. Improper 401 will cause unnecessary churn as middleware will repeatedly attempt to re-authenticate the service user.
To reproduce the problem:
1. get a project scoped token
2. remove all the roles assigned to the user for that project
3. attempt to validate that project-scoped token will result in 401
[0] https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#401-unauthorized
[1] https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215 |
|
| 2016-02-08 15:02:30 |
OpenStack Infra |
keystone: status |
Confirmed |
In Progress |
|
| 2016-02-08 15:02:30 |
OpenStack Infra |
keystone: assignee |
|
Lance Bragstad (lbragstad) |
|
| 2016-02-09 03:26:41 |
OpenStack Infra |
keystone: assignee |
Lance Bragstad (lbragstad) |
Steve Martinelli (stevemar) |
|
| 2016-02-09 04:14:12 |
Steve Martinelli |
keystone: assignee |
Steve Martinelli (stevemar) |
Lance Bragstad (lbragstad) |
|
| 2016-02-24 21:13:08 |
OpenStack Infra |
keystone: assignee |
Lance Bragstad (lbragstad) |
Raildo Mascena de Sousa Filho (raildo) |
|
| 2016-02-26 01:55:45 |
OpenStack Infra |
keystone: assignee |
Raildo Mascena de Sousa Filho (raildo) |
Guang Yee (guang-yee) |
|
| 2016-02-29 04:11:27 |
OpenStack Infra |
keystone: assignee |
Guang Yee (guang-yee) |
Lance Bragstad (lbragstad) |
|
| 2016-02-29 04:43:13 |
OpenStack Infra |
keystone: assignee |
Lance Bragstad (lbragstad) |
Guang Yee (guang-yee) |
|
| 2016-03-01 08:23:20 |
OpenStack Infra |
keystone: assignee |
Guang Yee (guang-yee) |
Steve Martinelli (stevemar) |
|
| 2016-03-01 08:23:42 |
Steve Martinelli |
keystone: assignee |
Steve Martinelli (stevemar) |
Guang Yee (guang-yee) |
|
| 2016-03-01 17:18:32 |
Steve Martinelli |
keystone: milestone |
mitaka-3 |
mitaka-rc1 |
|
| 2016-03-01 20:23:10 |
OpenStack Infra |
keystone: assignee |
Guang Yee (guang-yee) |
Lance Bragstad (lbragstad) |
|
| 2016-03-03 11:22:05 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|
| 2016-03-04 23:18:06 |
Guang Yee |
nominated for series |
|
keystone/liberty |
|
| 2016-03-04 23:18:06 |
Guang Yee |
bug task added |
|
keystone/liberty |
|
| 2016-03-05 00:36:46 |
OpenStack Infra |
keystone/liberty: status |
New |
In Progress |
|
| 2016-03-05 00:36:46 |
OpenStack Infra |
keystone/liberty: assignee |
|
Guang Yee (guang-yee) |
|
| 2016-05-17 08:04:14 |
OpenStack Infra |
keystone/liberty: status |
In Progress |
Fix Committed |
|
| 2016-06-07 14:57:45 |
Samuel de Medeiros Queiroz |
keystone/liberty: importance |
Undecided |
Medium |
|
| 2016-06-09 17:23:19 |
OpenStack Infra |
tags |
fernet |
fernet in-stable-mitaka |
|
| 2017-01-17 19:54:58 |
Morgan Fainberg |
keystone/liberty: status |
Fix Committed |
Fix Released |
|
