Reviewed: https://review.openstack.org/339176 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d53db1889e17d493202743246243936af90234b9 Submitter: Jenkins Branch: master
commit d53db1889e17d493202743246243936af90234b9 Author: Lance Bragstad <[email protected]> Date: Thu Jul 7 18:32:11 2016 +0000 Fix fernet token validate for disabled domains/trusts This commit adds a check when rebuilding the authorization context of a trust-scoped token to make sure that both the trustor and the trustee are in enabled domains. With this patch the uuid token provider and the fernet token provider give the same response when caching is disabled. If caching is enabled, the fernet provider will still consider a trust-scoped token valid even though the trustor/trustee is in a disabled domain. A subsequent patch will fix the revocation event to make sure the token is removed from the cache when a domain is disabled. Change-Id: If3e941018d5c2c9bd22397e69f83b7bf92643340 Partial-Bug: 1532280 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1532280 Title: Fernet trust token is still valid when trustee's domain is disabled. Status in OpenStack Identity (keystone): Fix Released Bug description: When you have a Fernet trust-scoped token, and the user's domain is disabled, the token is still valid. This is inconsistent with the behavior of the UUID token provider. Part of the fix has already been incorporated into a patch up for review [0], it was discovered by jorge_munoz in some of his testing. But, since this is an inconsistency between token providers - there was a case for breaking it out into it's own bug and it's own fix. Steps to reproduce: - Enable the Fernet token provider in the keystone.conf file - Create domain A - Create a user in domain A - Create a project in domain A - Grant the user in domain A a role on the project in domain A - Create domain B - Create a user in domain B - As the user in domain A, create a trust with the user in domain B on the project in domain A - As the user in domain B, get a project-scoped token using the trust - As the admin, disable domain B (which is the trustee's domain) - As the user in domain B, validate the trust-scoped token This validation should return 404 Not Found, but instead it returns 200 OK. We have a patch in review that exposes the behavior for the Fernet provider [1]. [0] https://review.openstack.org/#/c/253273/27 [1] https://review.openstack.org/#/c/265455/4 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1532280/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
