Mirantis OpenStack

Revoking a role assignment revokes unscoped tokens too

Bug #1546197 reported by Alexander Makarov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Medium
Alexander Makarov
Mirantis OpenStack 7.0-mu-3

Bug Description

When you delete a role assignment using a user+role+project pairing, unscoped tokens between the user+project are unnecessarily revoked as well. In fact, two events are created for each role assignment deletion (one that is scoped correctly and one that is scoped too broadly).

Steps to reproduce:

1. Create new project and new user there
2. Add new project like member in admin tenant
3. Execute 'keystone token-get' in controller
4. Get TOKEN_ID
5. Execute curl request: curl -H "X-Auth-Token: TOKEN_ID" http://192.168.0.2:5000/v2.0/tenants

ER: curl should return correct result

6. Delete new user from admin tenant
7. Repeat curl request

ER: curl should return 401-error

See original description
Revision history for this message
Alexander Makarov (amakarov) wrote :

Waiting for https://review.fuel-infra.org/#/c/17099 and https://review.fuel-infra.org/#/c/17086/

Vlad Okhrimenko (vokhrimenko)
tags: added: customer-found
Alexander Makarov (amakarov)
Changed in mos:
status: Confirmed → Won't Fix
status: Won't Fix → In Progress
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/keystone (openstack-ci/fuel-7.0/2015.1.0)

Reviewed: https://review.fuel-infra.org/17086
Submitter: Denis V. Meltsaykin <email address hidden>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: a8e372bb251fed2720e60261b7e2d8a3523377c8
Author: <email address hidden> <email address hidden>
Date: Wed Feb 17 16:11:45 2016

Do not revoke all of a user's tokens when a role assignment is deleted

Previously, an overly broad revocation event was being generated that
matched all of a user's tokens -- not just those belonging to a
user-project pair.

Closes-Bug: 1546197
(cherry picked from commit 5320b1a3358ada369d5db9aa68b6a07a36a82b1e)

Conflicts:
 keystone/tests/unit/test_auth.py

Change-Id: I52857029af21ac729f166b0e60aa9a38ffdc553a

Changed in mos:
status: In Progress → Fix Committed
Dmitry (dtsapikov)
tags: added: on-verification
Revision history for this message
Dmitry (dtsapikov) wrote :

Verified on 7.0+mu3

description: updated
tags: removed: on-verification
Changed in mos:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.