[openstack-dev] [Keystone] State of Fernet tokens

Morgan Fainberg morgan.fainberg at gmail.com
Thu Feb 25 05:27:20 UTC 2016


On Wed, Feb 24, 2016 at 8:50 PM, Adam Young <ayoung at redhat.com> wrote:

> A lot of people seem to be counting on Fernet tokens, so I figured I'd
> give a quick update.
>
> Back in December, I made a quick check to see what would happen if we
> swapped Fernet in as the default token provider.  A bunch of tests fails.
> Lance Bragstad and Raildo Mascena took that and ran with it.
>
> As of tonight, there are 18 Failed test.  4 are due to trust tokens on
> V2.  we need to explicitly prevent trust execution for the V2 API, as the
> rules are not being enforced.  We sent up a warning about this before, but
> let me make it explicit;  V2 Trust support is being yanked due to the need
> to make Fernet work.
>
> There are also some strange things going on with revocation events. Since
> token revocations are only going to be handled via the revocation event API
> (not revocation list) we need to get this right.
>
> Here is the complete list of failing tests right now:
>
>
> These  three are the trust tests I described above.
>
> {0}
> keystone.tests.unit.test_auth.AuthWithTrust.test_delete_tokens_for_user_invalidates_tokens_from_trust
> [0.420011s] ... FAILED
> {0}
> keystone.tests.unit.test_auth.AuthWithTrust.test_token_from_trust_cant_get_another_token
> [0.443193s] ... FAILED
> {1}
> keystone.tests.unit.test_auth.AuthWithTrust.test_delete_trust_revokes_token
> [0.465307s] ... FAILED
>
>
> Something seems to be strange with Cache invalidation.  They all deal with
> token deletion, which is handled by Revocation Events now.
> But this seems to be a test problem, not with the main code.
>
> {5}
> keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_unscoped_token
> [0.082660s] ... FAILED
> {4}
> keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_user
> [0.085062s] ... FAILED
> {3}
> keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant
> [0.106043s] ... FAILED
> {1}
> keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_id
> [0.081628s] ... FAILED
> {1}
> keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user
> [0.244603s] ... FAILED
> {1}
> keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant
> [0.237667s] ... FAILED
> {6}
> keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_unscoped_token
> [0.278852s] ... FAILED
> {0}
> keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_id
> [0.254170s] ... FAILED
>
>
All of these cache validation tests are failing for two distinct reasons:

1) the Fernet token key repository fixture is not being used for the
classes. Add in the use of the key_repository fixture and the first failure
will go away

2) The test is insanely synthetic and doesn't actually create data in the
identity or assignment backends. These tests need to be real test cases not
relying on the fact that the token backend contains the validated dataset.
This basically comes down to doing the load_fixtures() call and making sure
to use "real" project_id/user_id combinations.


> {5}
> keystone.tests.unit.test_v3_assignment.AssignmentInheritanceTestCase.test_crud_inherited_and_direct_assignment_on_projects
> [1.390265s] ... FAILED
> {3}
> keystone.tests.unit.test_no_admin_token_auth.TestNoAdminTokenAuth.test_request_no_admin_token_auth
> [0.111520s] ... FAILED
>
> Since the revocation list is not going to be used with Fernet, I am not
> too worried about these.  I think these tests can be changed to use PKI
> tokens for now.
>
>
Skip the revocation_list tests for Fernet absolutely.


>
> {2} keystone.tests.unit.test_v2.V2TestCase.test_fetch_revocation_list_md5
> [2.025202s] ... FAILED
> {2}
> keystone.tests.unit.test_v2.V2TestCase.test_fetch_revocation_list_sha256
> [1.650198s] ... FAILED
> {6}
> keystone.tests.unit.test_v3_auth.TestFetchRevocationList.test_audit_id_only_token
> [1.024048s] ... FAILED
> {5}
> keystone.tests.unit.test_v3_auth.TestFetchRevocationList.test_ids_token
> [1.091590s] ... FAILED
>
> And this one?  Passed when I ran it directly.  Looks like a bad test
> setup.
> {3}
> keystone.tests.unit.test_v3_filters.IdentityTestListLimitCase.test_list_users_filtered_by_funny_name
> [2.169297s] ... FAILED
>
>
> Review is here:
> https://review.openstack.org/#/c/258650
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160224/9b21af40/attachment.html>


More information about the OpenStack-dev mailing list