[Openstack-security] [Bug 1430951] Re: Revocation causes duplicate (and overly broad?) events in revocation table
Adam Young
1430951 at bugs.launchpad.net
Tue Mar 31 20:09:05 UTC 2015
The reason we get both a revoke by Grant and a revoke by user ID is
deliberate, and until we sort things out, we can't really change it.
If we are doing persisted tokens, we can only revoke by user id
If we are doing non-persisted tokens, we don't get a TRL, and break PKI tokens.
The emit code like this
:git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/core.py#n380
self.identity_api.emit_invalidate_user_token_persistence(user_id)
self.revoke_api.revoke_by_grant(role_id, user_id=user_id,
project_id=tenant_id)
Needs to be a single call, that makes the correct form of revocation
depending on what is enabled. This is a significant enough rewrite that
I am reluctant to do in the Kilo code base.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1430951
Title:
Revocation causes duplicate (and overly broad?) events in revocation
table
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
Revoke a project scoped token
You see 3 entries in revocation_event table
1) (id, user_id, project_id, role_id, issued_before)
2) (id, user_id,, issued_before)
3) (id, user_id,, issued_before)
2 & 3 are redundant. Definitely 3) is redundant as it is same as 2)
BTW, this from master branch as of 3/11/2015
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1430951/+subscriptions
More information about the Openstack-security
mailing list