Reviewed: https://review.openstack.org/256736 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0aaa3ab1710c3bd9ca7800cc2156a483bd463a11 Submitter: Jenkins Branch: master
commit 0aaa3ab1710c3bd9ca7800cc2156a483bd463a11 Author: Ron De Rose <[email protected]> Date: Fri Dec 11 20:29:09 2015 +0000 Changed the key repo validation to allow read only Fernet token operations would fail if the key respository did not have write access, even though it would only need read access. Added logic to validation to only check for read or read/write access based on what is required. Change-Id: I1ac8c3bd549055d5a13e0f5785dede42d710cf9d Closes-Bug: 1523664 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1523664 Title: Token operations fail when fernet key repository isn't writeable Status in OpenStack Identity (keystone): Fix Released Bug description: When using fernet tokens, I'm unable to get a token if the key_repository isn't writeable [0]. The main keystone process is only required to read keys from the key repository. The keystone-manage process must have write access to the key repository in order to bootstrap keys. Keystone doesn't rely on write access in order to create tokens. The check for keystone shouldn't be dependent on it having write access, since it doesn't need it [1]. The write permissions should be kept when called from keystone-manage, but not when called from keystone. mfisch and clayton from Time Warner Cable brought this to my attention and I was able to recreate. [0] http://cdn.pasteraw.com/nng0up76dgy5b3naw0hw4bdabdkin84 [1] https://github.com/openstack/keystone/blob/56d3d76304a88baa3ff90e94e6bbd6d8d28e7dcf/keystone/token/providers/fernet/utils.py#L34-L36 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1523664/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
