OpenStack Identity (keystone)

delete token for trust invalidation has typo

Bug #1152283 reported by Adam Young on 2013-03-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Adam Young	OpenStack Identity (keystone) 2013.1 "grizzly"

Bug Description

There are a couple typos that showed delete token for trust is untested.

In
keystone/identity/controllers.py

line 171

token_list = token_api.list_tokens(context, userid,

userid should be user_id

line 346

delete_tokens_for_user(self.token_api, self.trust_api, context,
user_id, tenant_id)

the last argument to this function is user, not tenant_id.

The backends can and should ignore the user_id field if the trust_id is passed in to list tokens. (The exception is the memcached backend, which needs the userid to find the tokens. This is another argument for deprecating the memcahced backend.)

OpenStack Infra (hudson-openstack) on 2013-03-07

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)
status:	New → In Progress

Revision history for this message

Adam Young (ayoung) wrote on 2013-03-07:

Fix is underway

https://review.openstack.org/#/c/23708/

Revision history for this message

Adam Young (ayoung) wrote on 2013-03-08:

To test this issue:

1. Create a trust
2. As trustee, create a token from that trust.
3. trustee user changes password
4. trustee should attempt to use the token in step 2

The change password step will probably fail with a server 500 message.

Regardless of whether would succeeds or not, the token from step 2 would still be valid.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-03-08: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/23708
Committed: http://github.com/openstack/keystone/commit/a2c3636bfdebc3af3738e87fc2295dc3845913d2
Submitter: Jenkins
Branch: master

commit a2c3636bfdebc3af3738e87fc2295dc3845913d2
Author: Adam Young <email address hidden>
Date: Wed Mar 6 10:14:17 2013 -0500

Delete tokens for user

Bug 1152283

There was a typo in the function that showed it
was untested. This fixes the typo and adds a unit test

It also corrects the logic in the KVS backend to ignore
the user_id field when listing tokens by trust_id

Change-Id: I5325c04e53a09fce68f3d350e7502341a398aa05

Changed in keystone:
status:	In Progress → Fix Committed

Dolph Mathews (dolph) on 2013-03-08

Changed in keystone:
milestone:	none → grizzly-rc1
importance:	Undecided → High

Thierry Carrez (ttx) on 2013-03-21

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in keystone:
milestone:	grizzly-rc1 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.