Open Stack

A lot of people seem to be counting on Fernet tokens, so I figured I'd 
give a quick update.

Back in December, I made a quick check to see what would happen if we 
swapped Fernet in as the default token provider.  A bunch of tests 
fails.  Lance Bragstad and Raildo Mascena took that and ran with it.

As of tonight, there are 18 Failed test.  4 are due to trust tokens on 
V2.  we need to explicitly prevent trust execution for the V2 API, as 
the rules are not being enforced.  We sent up a warning about this 
before, but let me make it explicit;  V2 Trust support is being yanked 
due to the need to make Fernet work.

There are also some strange things going on with revocation events. 
Since token revocations are only going to be handled via the revocation 
event API (not revocation list) we need to get this right.

Here is the complete list of failing tests right now:


These  three are the trust tests I described above.

{0} 
keystone.tests.unit.test_auth.AuthWithTrust.test_delete_tokens_for_user_invalidates_tokens_from_trust 
[0.420011s] ... FAILED
{0} 
keystone.tests.unit.test_auth.AuthWithTrust.test_token_from_trust_cant_get_another_token 
[0.443193s] ... FAILED
{1} 
keystone.tests.unit.test_auth.AuthWithTrust.test_delete_trust_revokes_token 
[0.465307s] ... FAILED


Something seems to be strange with Cache invalidation.  They all deal 
with token deletion, which is handled by Revocation Events now.
But this seems to be a test problem, not with the main code.

{5} 
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_unscoped_token 
[0.082660s] ... FAILED
{4} 
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_user 
[0.085062s] ... FAILED
{3} 
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant 
[0.106043s] ... FAILED
{1} 
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_id 
[0.081628s] ... FAILED
{1} 
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user 
[0.244603s] ... FAILED
{1} 
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant 
[0.237667s] ... FAILED
{6} 
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_unscoped_token 
[0.278852s] ... FAILED
{0} 
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_id 
[0.254170s] ... FAILED

{5} 
keystone.tests.unit.test_v3_assignment.AssignmentInheritanceTestCase.test_crud_inherited_and_direct_assignment_on_projects 
[1.390265s] ... FAILED
{3} 
keystone.tests.unit.test_no_admin_token_auth.TestNoAdminTokenAuth.test_request_no_admin_token_auth 
[0.111520s] ... FAILED

Since the revocation list is not going to be used with Fernet, I am not 
too worried about these.  I think these tests can be changed to use PKI 
tokens for now.


{2} 
keystone.tests.unit.test_v2.V2TestCase.test_fetch_revocation_list_md5 
[2.025202s] ... FAILED
{2} 
keystone.tests.unit.test_v2.V2TestCase.test_fetch_revocation_list_sha256 
[1.650198s] ... FAILED
{6} 
keystone.tests.unit.test_v3_auth.TestFetchRevocationList.test_audit_id_only_token 
[1.024048s] ... FAILED
{5} 
keystone.tests.unit.test_v3_auth.TestFetchRevocationList.test_ids_token 
[1.091590s] ... FAILED

And this one?  Passed when I ran it directly.  Looks like a bad test setup.
{3} 
keystone.tests.unit.test_v3_filters.IdentityTestListLimitCase.test_list_users_filtered_by_funny_name 
[2.169297s] ... FAILED


Review is here:
https://review.openstack.org/#/c/258650
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160224/034f52c4/attachment.html>