I'm not sure which specific issue this report is highlighting. Is it a
question of validating a token after a role has been deleted?
- a user get role x on project y
- a user gets a token scoped to project y
- role x is deleted
- a user attempts to validate the project scoped token
The last step in that flow should return a 401 since the user won't have
a role on the project. Also, since the fernet token format is non-
persistent, keystone isn't able to generate a list of tokens based on
the role in the token.
Can you provide links to the code that you think needs to be improved?
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1700748
Title:
Improper handle building list of token deletion
Status in OpenStack Identity (keystone):
Invalid
Bug description:
If deleting a role, we should iterate over the assignments for this
role and build the list of tokens we need to delete. In order to
minimize the number of token list to delete, remove any redundant
user+project deletions.
I think simplify the list for the same user is Improper, the same user
and different project target different tokens. At the same time,
original processing actually doesn't work due to user_ids is never
added to.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1700748/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
