python-keystoneclient

auth_url and token authentication is broken

Bug #1257541 reported by Jamie Lennox
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-keystoneclient
Fix Released
Wishlist
Jamie Lennox
python-keystoneclient 0.4.2

Bug Description

The v2 and v3 clients both have support in authenticate() to handle the concept of using an auth_url and token. This is important as the way to rescope a token or to get a trust token should be to create a new client using the old token and the refinements (new roles, trust_ids etc) that you want to use.

Somewhere along the way it was assumed that the only reason that token would be provided to the client was that this was the token you always wanted to use when issuing connections. So if auth_token_from_user is set this will be used in preference to fetching a token. This prevents the usage described above.

OpenStack Infra (hudson-openstack)
Changed in python-keystoneclient:
assignee: nobody → Jamie Lennox (jamielennox)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/57803
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=35aed518a9a8c0049512910219ca6fea4f35f2b8
Submitter: Jenkins
Branch: master

commit 35aed518a9a8c0049512910219ca6fea4f35f2b8
Author: Jamie Lennox <email address hidden>
Date: Fri Nov 22 11:14:49 2013 +1000

    Correctly handle auth_url/token authentication

    Previously the client assumed that if a user passed a token then this
    token should be used for everything. This assumption is correct for the
    endpoint/token case but not in the auth_url/token case where you will
    want to fetch a new token. This is needed in the case where you want to
    use an existing token to fetch a token that is re-scoped or activate a
    trust.

    There are still problems such as if you use auth_url/token
    authentication then when the token expires it will try to refresh it,
    but authenticating with a token will not extend the token expiry.

    Closes-Bug: #1257541
    Change-Id: I1c35600ca5437da44071dcea5361bfb42f6b72a3

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in python-keystoneclient:
importance: Undecided → Wishlist
milestone: none → 0.4.2
Dolph Mathews (dolph)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.