| 2013-04-18 02:44:51 |
Philip Mark M. Deazeta |
bug |
|
|
added bug |
| 2013-04-18 02:45:45 |
Philip Mark M. Deazeta |
description |
Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
+---------------------------------------------------------+-------+
| id | valid |
+---------------------------------------------------------+-------+
| 067bb96c5ee3491c916c4db73693dfff | 1 |
| 3ba0ee57018c400f925d680068eb797e | 1 |
| cdb6fe2a1d23477f8bb4339afc7ae2ec | 1 |
| e0f66872d37b4c8bab41e63a35313867 | 1 |
+---------------------------------------------------------+-------+
--------> Then I added that user to a project
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
Empty set (0.00 sec)
--------> All tokens no matter what scope became invalid
I need to verify if this is a bug or if this is how Keystone should actually work. |
Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
+---------------------------------------------------------+-------+
| id | valid |
+---------------------------------------------------------+-------+
| 067bb96c5ee3491c916c4db73693dfff | 1 |
| 3ba0ee57018c400f925d680068eb797e | 1 |
| cdb6fe2a1d23477f8bb4339afc7ae2ec | 1 |
| e0f66872d37b4c8bab41e63a35313867 | 1 |
+---------------------------------------------------------+-------+
--------> Then I added that user to a project
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
Empty set (0.00 sec)
--------> All tokens no matter what scope became invalid |
|
| 2013-04-18 02:46:51 |
Philip Mark M. Deazeta |
description |
Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
+---------------------------------------------------------+-------+
| id | valid |
+---------------------------------------------------------+-------+
| 067bb96c5ee3491c916c4db73693dfff | 1 |
| 3ba0ee57018c400f925d680068eb797e | 1 |
| cdb6fe2a1d23477f8bb4339afc7ae2ec | 1 |
| e0f66872d37b4c8bab41e63a35313867 | 1 |
+---------------------------------------------------------+-------+
--------> Then I added that user to a project
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
Empty set (0.00 sec)
--------> All tokens no matter what scope became invalid |
Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
+---------------------------------------------------------+-------+
| id | valid |
+---------------------------------------------------------+-------+
| 067bb96c5ee3491c916c4db73693dfff | 1 | ----> Unscoped token
| 3ba0ee57018c400f925d680068eb797e | 1 | ----> Scoped token
| cdb6fe2a1d23477f8bb4339afc7ae2ec | 1 |----> Unscoped token
| e0f66872d37b4c8bab41e63a35313867 | 1 | ----> Scoped Token
+---------------------------------------------------------+-------+
--------> Then I added that user to a project
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
Empty set (0.00 sec)
--------> All tokens no matter what scope became invalid |
|
| 2013-04-18 02:49:53 |
Philip Mark M. Deazeta |
description |
Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
+---------------------------------------------------------+-------+
| id | valid |
+---------------------------------------------------------+-------+
| 067bb96c5ee3491c916c4db73693dfff | 1 | ----> Unscoped token
| 3ba0ee57018c400f925d680068eb797e | 1 | ----> Scoped token
| cdb6fe2a1d23477f8bb4339afc7ae2ec | 1 |----> Unscoped token
| e0f66872d37b4c8bab41e63a35313867 | 1 | ----> Scoped Token
+---------------------------------------------------------+-------+
--------> Then I added that user to a project
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
Empty set (0.00 sec)
--------> All tokens no matter what scope became invalid |
Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.
In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens
My test:
Token: UUID
I've created a bunch of tokens with different scopes, some scoped to domain and some with projects
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
+---------------------------------------------------------+-------+
| id | valid |
+---------------------------------------------------------+-------+
| 067bb96c5ee3491c916c4db73693dfff | 1 | ----> Unscoped token
| 3ba0ee57018c400f925d680068eb797e | 1 | ----> Scoped token
| cdb6fe2a1d23477f8bb4339afc7ae2ec | 1 |----> Unscoped token
| e0f66872d37b4c8bab41e63a35313867 | 1 | ----> Scoped Token
+---------------------------------------------------------+-------+
--------> Then I added that user to a project
mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
Empty set (0.00 sec)
--------> All tokens no matter what scope became invalid
This also relates to the bugs filed in Horizon
https://bugs.launchpad.net/horizon/+bug/1060426
https://bugs.launchpad.net/horizon/+bug/1166794 |
|
| 2013-04-18 02:54:41 |
Mark Maglana |
bug |
|
|
added subscriber Mark |
| 2013-04-18 02:56:47 |
Mark Maglana |
bug task added |
|
horizon |
|
| 2013-04-18 03:02:06 |
bronson espinosa |
bug |
|
|
added subscriber bronson espinosa |
| 2013-04-18 03:14:18 |
Ramil Bermejo |
bug |
|
|
added subscriber Ramil Bermejo |
| 2013-04-18 04:01:07 |
Satoshi Konno |
bug |
|
|
added subscriber Satoshi Konno |
| 2013-04-18 04:35:43 |
Alvin Garcia |
bug |
|
|
added subscriber Alvin Garcia |
| 2013-04-26 11:16:19 |
Julie Pichon |
bug |
|
|
added subscriber Julie Pichon |
| 2013-05-03 22:35:46 |
Gabriel Hurley |
horizon: importance |
Undecided |
High |
|
| 2013-05-03 22:35:46 |
Gabriel Hurley |
horizon: status |
New |
Confirmed |
|
| 2013-05-03 22:35:46 |
Gabriel Hurley |
horizon: milestone |
|
havana-1 |
|
| 2013-05-04 07:46:32 |
Hunter Nield |
bug |
|
|
added subscriber Hunter Nield |
| 2013-05-21 21:35:13 |
Gabriel Hurley |
horizon: milestone |
havana-1 |
havana-2 |
|
| 2013-05-27 14:26:35 |
Ricardo Contreras |
bug |
|
|
added subscriber Ricardo Contreras |
| 2013-06-01 20:45:01 |
Gabriel Hurley |
tags |
|
grizzly-backport-potential |
|
| 2013-06-03 15:30:00 |
Dolph Mathews |
keystone: importance |
Undecided |
High |
|
| 2013-06-03 15:30:08 |
Dolph Mathews |
keystone: status |
New |
Triaged |
|
| 2013-06-03 15:30:16 |
Dolph Mathews |
keystone: status |
Triaged |
Confirmed |
|
| 2013-06-03 19:25:03 |
OpenStack Infra |
keystone: status |
Confirmed |
In Progress |
|
| 2013-06-03 19:25:03 |
OpenStack Infra |
keystone: assignee |
|
Dolph Mathews (dolph) |
|
| 2013-06-04 01:16:17 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Committed |
|
| 2013-06-04 02:28:57 |
Lin Hua Cheng |
horizon: assignee |
|
Lin Hua Cheng (lin-hua-cheng) |
|
| 2013-06-04 12:05:07 |
Dolph Mathews |
summary |
Unscope token gets revoked when adding a user to a project |
Unscoped tokens are revoked when assigning a role to a user |
|
| 2013-06-25 14:01:38 |
Ionuț Arțăriși |
bug |
|
|
added subscriber Ionuț Arțăriși |
| 2013-07-10 22:01:47 |
Lin Hua Cheng |
horizon: status |
Confirmed |
Fix Committed |
|
| 2013-07-17 10:46:02 |
Thierry Carrez |
horizon: status |
Fix Committed |
Fix Released |
|
| 2013-07-17 12:05:03 |
Thierry Carrez |
keystone: status |
Fix Committed |
Fix Released |
|
| 2013-07-17 12:05:03 |
Thierry Carrez |
keystone: milestone |
|
havana-2 |
|
| 2013-08-05 17:16:55 |
Alan Pevec |
nominated for series |
|
keystone/grizzly |
|
| 2013-08-05 17:16:55 |
Alan Pevec |
bug task added |
|
keystone/grizzly |
|
| 2013-08-05 17:17:08 |
Alan Pevec |
keystone/grizzly: status |
New |
In Progress |
|
| 2013-08-05 17:17:10 |
Alan Pevec |
keystone/grizzly: importance |
Undecided |
High |
|
| 2013-08-05 17:17:19 |
Alan Pevec |
keystone/grizzly: assignee |
|
Dirk Mueller (dmllr) |
|
| 2013-08-05 17:17:24 |
Alan Pevec |
keystone/grizzly: milestone |
|
2013.1.3 |
|
| 2013-08-05 22:41:39 |
Alan Pevec |
keystone/grizzly: status |
In Progress |
Fix Committed |
|
| 2013-08-08 19:59:17 |
Alan Pevec |
keystone/grizzly: status |
Fix Committed |
Fix Released |
|
| 2013-10-17 12:36:24 |
Thierry Carrez |
keystone: milestone |
havana-2 |
2013.2 |
|
| 2013-10-17 12:57:35 |
Thierry Carrez |
horizon: milestone |
havana-2 |
2013.2 |
|
| 2014-03-30 23:31:43 |
Alan Pevec |
tags |
grizzly-backport-potential |
|
|
