Revoking a role revokes the unscoped token for a user
Bug #1511775 reported by
Jeff Deville
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Medium
|
Unassigned |
Bug Description
In Juno and Kilo, when a role is revoked from a user on a project, a callback is triggered that invalidates all of that user's tokens. I can see why we'd want to do that for scoped tokens. But by revoking the unscoped token as well, the user is forced to log out and log back in. It seems like the unscoped token should be left alone, since revoking a role is an authorization change, and the unscoped token is an authentication issue.
tags: | added: revoke |
Changed in keystone: | |
assignee: | nobody → Steve Martinelli (stevemar) |
status: | Triaged → In Progress |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → nobody |
Changed in keystone: | |
assignee: | nobody → Lance Bragstad (lbragstad) |
status: | Invalid → In Progress |
Changed in keystone: | |
status: | In Progress → Invalid |
assignee: | Lance Bragstad (lbragstad) → nobody |
To post a comment you must log in.
Assigning this to Jorge Munoz, who started working on a related patch at the OpenStack summit this week.
With Fernet, we can not bother revoking either of these tokens. Instead, the new role set is computed at token validation time, and the scoped token would only be invalid if it was the last remaining role the user had on the project. Otherwise, both tokens would remain valid and the scoped token would simply be missing the revoked role.