[openstack-dev] [Keystone] Group changes must revoke tokens

Henry Nash henryn at linux.vnet.ibm.com
Wed Dec 19 14:30:10 UTC 2012

Hi Adam,

Quite right.  The api blueprint for user groups specifies that this should happen (Dolph had been reviewing this) and the server code is using the same revoke mechanism that happens when a user role changes. I'll see if I can refactor this so it is more general and will then be obvious how we could plug in the mapping triggers.

On 19 Dec 2012, at 14:25, Adam Young wrote:

> Since both of you are working on stuff invloving how Roles are assigned to users, I want you to both be aware of an important issue.  When a users roles change, their tokens get invalidated. Since both the group and mapping blueprints will affect Role assignments, both can have significant effects on the number of users whose tokens get revoked.
> Please update both of your blueprints to reflect this.    We will need a common mechanism for determining which tokens to revoke.
> This must happen before anything that changes  role assignments can be merged.

More information about the OpenStack-dev mailing list