<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
A lot of people seem to be counting on Fernet tokens, so I figured
I'd give a quick update.
<br>
<div class="moz-text-flowed" style="font-family: -moz-fixed;
font-size: 12px;" lang="x-unicode">
<br>
Back in December, I made a quick check to see what would happen if
we swapped Fernet in as the default token provider. A bunch of
tests fails. Lance Bragstad and Raildo Mascena took that and ran
with it.
<br>
<br>
As of tonight, there are 18 Failed test. 4 are due to trust
tokens on V2. we need to explicitly prevent trust execution for
the V2 API, as the rules are not being enforced. We sent up a
warning about this before, but let me make it explicit; V2 Trust
support is being yanked due to the need to make Fernet work.
<br>
<br>
There are also some strange things going on with revocation
events. Since token revocations are only going to be handled via
the revocation event API (not revocation list) we need to get this
right.
<br>
<br>
Here is the complete list of failing tests right now:
<br>
<br>
<br>
These three are the trust tests I described above.
<br>
<br>
{0}
keystone.tests.unit.test_auth.AuthWithTrust.test_delete_tokens_for_user_invalidates_tokens_from_trust
[0.420011s] ... FAILED
<br>
{0}
keystone.tests.unit.test_auth.AuthWithTrust.test_token_from_trust_cant_get_another_token
[0.443193s] ... FAILED
<br>
{1}
keystone.tests.unit.test_auth.AuthWithTrust.test_delete_trust_revokes_token
[0.465307s] ... FAILED
<br>
<br>
<br>
Something seems to be strange with Cache invalidation. They all
deal with token deletion, which is handled by Revocation Events
now.
<br>
But this seems to be a test problem, not with the main code.<br>
<br>
{5}
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_unscoped_token
[0.082660s] ... FAILED
<br>
{4}
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_user
[0.085062s] ... FAILED
<br>
{3}
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant
[0.106043s] ... FAILED
<br>
{1}
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation.test_delete_scoped_token_by_id
[0.081628s] ... FAILED
<br>
{1}
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user
[0.244603s] ... FAILED
<br>
{1}
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant
[0.237667s] ... FAILED
<br>
{6}
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_unscoped_token
[0.278852s] ... FAILED
<br>
{0}
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_id
[0.254170s] ... FAILED
<br>
<br>
{5}
keystone.tests.unit.test_v3_assignment.AssignmentInheritanceTestCase.test_crud_inherited_and_direct_assignment_on_projects
[1.390265s] ... FAILED
<br>
{3}
keystone.tests.unit.test_no_admin_token_auth.TestNoAdminTokenAuth.test_request_no_admin_token_auth
[0.111520s] ... FAILED
<br>
<br>
Since the revocation list is not going to be used with Fernet, I
am not too worried about these. I think these tests can be
changed to use PKI tokens for now.
<br>
<br>
<br>
{2}
keystone.tests.unit.test_v2.V2TestCase.test_fetch_revocation_list_md5
[2.025202s] ... FAILED
<br>
{2}
keystone.tests.unit.test_v2.V2TestCase.test_fetch_revocation_list_sha256
[1.650198s] ... FAILED
<br>
{6}
keystone.tests.unit.test_v3_auth.TestFetchRevocationList.test_audit_id_only_token
[1.024048s] ... FAILED
<br>
{5}
keystone.tests.unit.test_v3_auth.TestFetchRevocationList.test_ids_token
[1.091590s] ... FAILED
<br>
<br>
And this one? Passed when I ran it directly. Looks like a bad
test setup.
<br>
{3}
keystone.tests.unit.test_v3_filters.IdentityTestListLimitCase.test_list_users_filtered_by_funny_name
[2.169297s] ... FAILED
<br>
<br>
<br>
Review is here: <br>
<a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/258650">https://review.openstack.org/#/c/258650</a><br>
</div>
</body>
</html>