Author: Lance Bragstad <lbrags...@gmail.com>
Date: Mon Feb 19 18:23:25 2018 +0000
Populate application credential data in token
Without this patch, the token formatter does not have enough data to
construct a token created with an application credential. This means
that if the token cache is disabled or expired, when keystone goes to
create the token it will not find any application credential information
and will not recreate the application_credential_restricted parameter in
the token data. This patch creates a new Payload class for application
credentials so that the application credential ID is properly persisted
in the msgpack'd payload. It also adds more data to the token data
object so that the application credential ID and name as well as its
restricted status is available when the token is queried.
Co-authored-by: Lance Bragstad <lbrags...@gmail.com>
** Changed in: keystone
Status: In Progress => Fix Released
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
validation of app cred tokens is dependent on
Status in OpenStack Identity (keystone):
Status in OpenStack Identity (keystone) queens series:
Status in OpenStack Identity (keystone) rocky series:
Some information in tokens obtained with application credentials isn't
available unless caching is enabled. I was able to recreate this using
some of the tests in test_v3_trust.py and by setting
CONF.token.cache_on_issue to False, which resulted in a 500 because a
specific key in the token reference wasn't available .
Without digging into a bunch, I think this is because the token is
cached when it is created, meaning the process to rebuild the entire
authorization context at validation time is short-circuited.
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : email@example.com
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp