On Wed, Feb 24, 2016 at 9:27 PM, Morgan Fainberg <[email protected]> wrote:
> > > On Wed, Feb 24, 2016 at 8:50 PM, Adam Young <[email protected]> wrote: > >> A lot of people seem to be counting on Fernet tokens, so I figured I'd >> give a quick update. >> >> Back in December, I made a quick check to see what would happen if we >> swapped Fernet in as the default token provider. A bunch of tests fails. >> Lance Bragstad and Raildo Mascena took that and ran with it. >> >> As of tonight, there are 18 Failed test. 4 are due to trust tokens on >> V2. we need to explicitly prevent trust execution for the V2 API, as the >> rules are not being enforced. We sent up a warning about this before, but >> let me make it explicit; V2 Trust support is being yanked due to the need >> to make Fernet work. >> >> There are also some strange things going on with revocation events. Since >> token revocations are only going to be handled via the revocation event API >> (not revocation list) we need to get this right. >> >> Here is the complete list of failing tests right now: >> >> >> These three are the trust tests I described above. >> >> {0} >> keystone.tests.unit.test_auth.AuthWithTrust.test_delete_tokens_for_user_invalidates_tokens_from_trust >> [0.420011s] ... FAILED >> {0} >> keystone.tests.unit.test_auth.AuthWithTrust.test_token_from_trust_cant_get_another_token >> [0.443193s] ... FAILED >> {1} >> keystone.tests.unit.test_auth.AuthWithTrust.test_delete_trust_revokes_token >> [0.465307s] ... FAILED >> >> >> Something seems to be strange with Cache invalidation. They all deal >> with token deletion, which is handled by Revocation Events now. >> But this seems to be a test problem, not with the main code. >> >> {5} >> keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_unscoped_token >> [0.082660s] ... FAILED >> {4} >> keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_user >> [0.085062s] ... FAILED >> {3} >> keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant >> [0.106043s] ... FAILED >> {1} >> keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_id >> [0.081628s] ... FAILED >> {1} >> keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user >> [0.244603s] ... FAILED >> {1} >> keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant >> [0.237667s] ... FAILED >> {6} >> keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_unscoped_token >> [0.278852s] ... FAILED >> {0} >> keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_id >> [0.254170s] ... FAILED >> >> > All of these cache validation tests are failing for two distinct reasons: > > 1) the Fernet token key repository fixture is not being used for the > classes. Add in the use of the key_repository fixture and the first failure > will go away > > 2) The test is insanely synthetic and doesn't actually create data in the > identity or assignment backends. These tests need to be real test cases not > relying on the fact that the token backend contains the validated dataset. > This basically comes down to doing the load_fixtures() call and making sure > to use "real" project_id/user_id combinations. > > Latest patchset resolves issues with cache invalidation > {5} >> keystone.tests.unit.test_v3_assignment.AssignmentInheritanceTestCase.test_crud_inherited_and_direct_assignment_on_projects >> [1.390265s] ... FAILED >> {3} >> keystone.tests.unit.test_no_admin_token_auth.TestNoAdminTokenAuth.test_request_no_admin_token_auth >> [0.111520s] ... FAILED >> >> Since the revocation list is not going to be used with Fernet, I am not >> too worried about these. I think these tests can be changed to use PKI >> tokens for now. >> >> > Skip the revocation_list tests for Fernet absolutely. > > Latest patchset skips revocation_list get attempts with Fernet. > >> {2} keystone.tests.unit.test_v2.V2TestCase.test_fetch_revocation_list_md5 >> [2.025202s] ... FAILED >> {2} >> keystone.tests.unit.test_v2.V2TestCase.test_fetch_revocation_list_sha256 >> [1.650198s] ... FAILED >> {6} >> keystone.tests.unit.test_v3_auth.TestFetchRevocationList.test_audit_id_only_token >> [1.024048s] ... FAILED >> {5} >> keystone.tests.unit.test_v3_auth.TestFetchRevocationList.test_ids_token >> [1.091590s] ... FAILED >> >> And this one? Passed when I ran it directly. Looks like a bad test >> setup. >> {3} >> keystone.tests.unit.test_v3_filters.IdentityTestListLimitCase.test_list_users_filtered_by_funny_name >> [2.169297s] ... FAILED >> >> >> Review is here: >> https://review.openstack.org/#/c/258650 >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
