[Yahoo-eng-team] [Bug 1335037] [NEW] get token fail also consume trust use

wanghong Fri, 27 Jun 2014 02:41:25 -0700

Public bug reported:

I think we should consume trust use only when getting token sucuess. But, 
currently if I get token fail the trust use will also be consumed. For example:
curl -i -H "Content-Type:application/json" 
http://127.0.0.1:35357/v3/auth/tokens -d 
'{"auth":{"identity":{"methods":["password"], 
"password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}'


If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the 
trust(bcbddcc479304a8a8c39df24a87cce85), get  token will fail:
{"error": {"message": "User is not a trustee. (Disable debug mode to suppress 
these details.)", "code": 403, "title": "Forbidden"}}

But, the remaining uses of the trust will be consumed.

This is because we call "trust_api.consume_use" before
"token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375,
and issue_v3_token may be fail for some reasons.

** Affects: keystone
     Importance: Undecided
     Assignee: wanghong (w-wanghong)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => wanghong (w-wanghong)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1335037

Title:
  get token fail also consume trust use

Status in OpenStack Identity (Keystone):
  New

Bug description:
  I think we should consume trust use only when getting token sucuess. But, 
currently if I get token fail the trust use will also be consumed. For example:
  curl -i -H "Content-Type:application/json" 
http://127.0.0.1:35357/v3/auth/tokens -d 
'{"auth":{"identity":{"methods":["password"], 
"password":{"user":{"id":"b89cd1d1608f4e6ea588b1338f2621bd","password":"admin"}}},"scope":{"OS-TRUST:trust":{"id":"bcbddcc479304a8a8c39df24a87cce85"}}}}'

  If the user(b89cd1d1608f4e6ea588b1338f2621bd) is not the trustee user of the 
trust(bcbddcc479304a8a8c39df24a87cce85), get  token will fail:
  {"error": {"message": "User is not a trustee. (Disable debug mode to suppress 
these details.)", "code": 403, "title": "Forbidden"}}

  But, the remaining uses of the trust will be consumed.

  This is because we call "trust_api.consume_use" before
  
"token_provider_api.issue_v3_token":https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L375,
  and issue_v3_token may be fail for some reasons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1335037/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1335037] [NEW] get token fail also consume trust use

Reply via email to