Unscoped tokens are revoked when assigning a role to a user

diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py
index e82b81f..7676195 100644
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@@ -299,7 +299,7 @@ class Role(controller.V2Controller):

         self.identity_api.add_role_to_user_and_project(
             context, user_id, tenant_id, role_id)
- self._delete_tokens_for_user(context, user_id)
+ self._delete_tokens_for_user(context, user_id, tenant_id)

         role_ref = self.identity_api.get_role(context, role_id)
         return {'role': role_ref}

is there any reason for why the tokens, including scoped token, shall be revoked when addinguser to a tenant? For removing users from roles or tenant, seems the revoke of token can help delete the invalid tokens.

I ran into this testing things with the v3 API and it's exceedingly annoying. This is a breaking change in the Keystone API behavior and we should discuss what makes the most sense here. Becoming immediately unauthorized when taking this action causes various other problems in Horizon where multiple API requests may be queued together.

The token also gets expired when the owner is added or removed from a group.

+1 on exceedingly annoying.

Revoking tokens as a result of a role assignment was simply overkill. I don't think we need to revoke any tokens, and we can instead place the burden on the user to figure out that they should re-authenticate to take advantage of recent role assignments.

I think that the best option here is at least show a message (in Horizon) indicating a re-authentication needed, avoiding the annoying errors. Also, is important to restrict the rol changes of the user logged to only one, and doesn't permit more than it.

> Also, is important to restrict the rol changes of the user logged to only one, and doesn't permit more than it.

How/why?

Fix proposed to branch: master
Review: https://review.openstack.org/31548

Reviewed: https://review.openstack.org/31548
Committed: http://github.com/openstack/keystone/commit/132ff6d85e02acdce7483c2848686676cb4f14a0
Submitter: Jenkins
Branch: master

commit 132ff6d85e02acdce7483c2848686676cb4f14a0
Author: Dolph Mathews <email address hidden>
Date: Mon Jun 3 14:21:36 2013 -0500

    Maintain tokens after role assignments (bug 1170186)

    Change-Id: Iacd2d9e09be4ab3d6a3c5acf4074e4af7e300602

Dolph: The patch https://review.openstack.org/31548 only took care of creation of role assignment to user. The token is also revoked on removal of role assignment from user, add/remove user from group. Should we also remove token revocation for those operations?

Lin Hua Cheng: Yes, I agree. I've opened bug 1187359 to track that work.

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/34622

Validated that assigning roles to User/Group does not revoke the token anymore, this was fixed in Keystone.

Revoking roles from User/Group still revokes the token.

For revoking roles from User/Group, it is by design to revoke the token immediately because from security perspective revoking roles must be immediate to prevent user from further accessing the system. Adding roles is less important and could wait until the user re-authenticates.

cherry pick with original change-id https://review.openstack.org/40249