Public bug reported:
When using UUID tokens, after token validation the user's domain info is filled in. For federated ephemeral users the domain ID and name are both the set to the [federation].federated_domain_name config value.[1]. When using fernet tokens, the user domain info isn't filled in. We've got code in keystone that assumes that all users are going to have the domain info filled in, for example TokenModel raises UnexpectedError if the user info in the token doesn't have a domain name or ID, and doesn't provide a way to check if the user has a domain name or ID first.[2] (Why does keystone have multiple ways to represent a token??) The domain info should be filled in when using fernet tokens so that it works like the other providers. [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n589 [2] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/token_model.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n112 ** Affects: keystone Importance: Undecided Assignee: Brant Knudson (blk-u) Status: In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1500459 Title: Validating federated fernet token loses user domain info Status in Keystone: In Progress Bug description: When using UUID tokens, after token validation the user's domain info is filled in. For federated ephemeral users the domain ID and name are both the set to the [federation].federated_domain_name config value.[1]. When using fernet tokens, the user domain info isn't filled in. We've got code in keystone that assumes that all users are going to have the domain info filled in, for example TokenModel raises UnexpectedError if the user info in the token doesn't have a domain name or ID, and doesn't provide a way to check if the user has a domain name or ID first.[2] (Why does keystone have multiple ways to represent a token??) The domain info should be filled in when using fernet tokens so that it works like the other providers. [1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n589 [2] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/token_model.py?id=3d989e8815c5fe932bb6e7a3e0541e8c75046225#n112 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1500459/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
