Public bug reported: When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider.
Part of the fix has already been incorporated into a patch up for review [0], it was discovered by jorge_munoz in some of his testing. But, since this is an inconsistency between token providers - there was a case for breaking it out into it's own bug and it's own fix. Steps to reproduce - Modify the keystone config to issue Fernet tokens - Create two new domains - Create two new users - As the trustor, create a trust between the users - As the trustee, get a trust-scoped Fernet token using the trust - As the admin, disable the trustee's domain - As the trustee, valid the token The token validation in the last step should return a 401, instead a proper token validation is returned. [0] https://review.openstack.org/#/c/253273/27 ** Affects: keystone Importance: Undecided Status: New ** Tags: fernet ** Tags added: fernet ** Description changed: When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider. Part of the fix has already been incorporated into a patch up for review [0]. But, since this is an inconsistency - there was a case for breaking it out into it's own bug and it's own fix. Steps to reproduce + - Modify the keystone config to issue Fernet tokens - Create two new domains - Create two new users - As the trustor, create a trust between the users - As the trustee, get a trust-scoped Fernet token using the trust - As the admin, disable the trustee's domain - As the trustee, valid the token The token validation in the last step should return a 401, instead a proper token validation is returned. - [0] https://review.openstack.org/#/c/253273/27 ** Description changed: When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider. Part of the fix has already been incorporated into a patch up for review - [0]. But, since this is an inconsistency - there was a case for breaking - it out into it's own bug and it's own fix. + [0], it was discovered by jorge_munoz in some of his testing. But, since + this is an inconsistency between token providers - there was a case for + breaking it out into it's own bug and it's own fix. Steps to reproduce - Modify the keystone config to issue Fernet tokens - Create two new domains - Create two new users - As the trustor, create a trust between the users - As the trustee, get a trust-scoped Fernet token using the trust - As the admin, disable the trustee's domain - As the trustee, valid the token The token validation in the last step should return a 401, instead a proper token validation is returned. [0] https://review.openstack.org/#/c/253273/27 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1532280 Title: Fernet trust token is still valid when user's domain is disabled. Status in OpenStack Identity (keystone): New Bug description: When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider. Part of the fix has already been incorporated into a patch up for review [0], it was discovered by jorge_munoz in some of his testing. But, since this is an inconsistency between token providers - there was a case for breaking it out into it's own bug and it's own fix. Steps to reproduce - Modify the keystone config to issue Fernet tokens - Create two new domains - Create two new users - As the trustor, create a trust between the users - As the trustee, get a trust-scoped Fernet token using the trust - As the admin, disable the trustee's domain - As the trustee, valid the token The token validation in the last step should return a 401, instead a proper token validation is returned. [0] https://review.openstack.org/#/c/253273/27 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1532280/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp