If the token is tenant scoped .. would make sense to disable token?
-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dolph Mathews
Sent: Tuesday, June 04, 2013 2:21 PM
To: Bhandaru, Malini K
Subject: [Bug 1179955] Re: Disabling a tenant would not disable a user token
satya-patibandla: didn't mean to hijack this if you have a solution. I just wanted to put tests up to demonstrate
Title:
Disabling a tenant would not disable a user token
Status in OpenStack Identity (Keystone):
In Progress
Bug description:
Using keystone/python-keystoneclient master as of today when disabling
a tenant would not disable the users attached to the and would still
have access.
I would not mind to fix it but I want to make sure first if this is
something done by design or I am missing something.
Here is a transcript of my tests :
# Here is the list of my tenants all enabled and nice (devstack default)
chmouel@vm:~$ keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 1f1aeeace0db41e3966a4873877c4dde | admin | True |
| b39f8b007abe472b93ebb5c7fdd80c98 | demo | True |
| 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin | True |
| 13fe49ee5e0144d0acd0c89fb901a248 | service | True |
+----------------------------------+--------------------+---------+
# Let's store the DEMO_TENANT_ID for later
chmouel@vm:~$ DEMO_TENANT=b39f8b007abe472b93ebb5c7fdd80c98
# getting a token with this script available here http://p.chmouel.com/ks which
chmouel@vm:~$ ks localhost demo:demo ADMIN
[...]
# Using the token I can access to my swift account properly all good here.
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: text/html; charset=UTF-8
X-Account-Object-Count: 0
X-Trans-Id: tx390b2fb557fb4cb48a082-0051923f3b
Date: Tue, 14 May 2013 13:42:19 GMT
# Now let's try to disable that tenant
chmouel@vm:~$ keystone tenant-update --enabled false ${DEMO_TENANT}
# tenant is disabled all good
chmouel@vm:~$ keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 1f1aeeace0db41e3966a4873877c4dde | admin | True |
| b39f8b007abe472b93ebb5c7fdd80c98 | demo | False |
| 64e78275f80d47f998c4cd1f06e79b1e | invisible_to_admin | True |
| 13fe49ee5e0144d0acd0c89fb901a248 | service | True |
+----------------------------------+--------------------+---------+
# we still have access with that same token since it's properly in memcache
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: text/html; charset=UTF-8
X-Account-Object-Count: 0
X-Trans-Id: txf9d27a7a8a034304b13cb-0051923f6f
Date: Tue, 14 May 2013 13:43:11 GMT
# let's restart memcache to clear it
chmouel@vm:~$ sudo /etc/init.d/memcached restart
Restarting memcached: memcached.
# but we still have access.
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: text/html; charset=UTF-8
X-Account-Object-Count: 0
X-Trans-Id: txbe0c0caf533a4f6e98345-0051923f97
Date: Tue, 14 May 2013 13:43:51 GMT
the json reply when validating token says that the tenant is still
enabled even if it's disabled :
If the token is tenant scoped .. would make sense to disable token?
-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dolph Mathews
Sent: Tuesday, June 04, 2013 2:21 PM
To: Bhandaru, Malini K
Subject: [Bug 1179955] Re: Disabling a tenant would not disable a user token
satya-patibandla: didn't mean to hijack this if you have a solution. I just wanted to put tests up to demonstrate
-- /bugs.launchpad .net/bugs/ 1179955
You received this bug notification because you are subscribed to Keystone.
Matching subscriptions: keystone
https:/
Title:
Disabling a tenant would not disable a user token
Status in OpenStack Identity (Keystone):
In Progress
Bug description: python- keystoneclient master as of today when disabling
Using keystone/
a tenant would not disable the users attached to the and would still
have access.
I would not mind to fix it but I want to make sure first if this is
something done by design or I am missing something.
Here is a transcript of my tests :
# Here is the list of my tenants all enabled and nice (devstack default) ------- ------- ------- ------- --+---- ------- ------- --+---- -----+ ------- ------- ------- ------- --+---- ------- ------- --+---- -----+ 3966a4873877c4d de | admin | True | b93ebb5c7fdd80c 98 | demo | True | 998c4cd1f06e79b 1e | invisible_to_admin | True | 0acd0c89fb901a2 48 | service | True | ------- ------- ------- ------- --+---- ------- ------- --+---- -----+
chmouel@vm:~$ keystone tenant-list
+----
| id | name | enabled |
+----
| 1f1aeeace0db41e
| b39f8b007abe472
| 64e78275f80d47f
| 13fe49ee5e0144d
+----
# Let's store the DEMO_TENANT_ID for later b39f8b007abe472 b93ebb5c7fdd80c 98
chmouel@vm:~$ DEMO_TENANT=
# getting a token with this script available here http:// p.chmouel. com/ks which
chmouel@vm:~$ ks localhost demo:demo ADMIN
[...]
# Using the token I can access to my swift account properly all good here. 9bc45cc7780be9b 59' http:// 172.16. 129.140: 8080/v1/ AUTH_b39f8b007a be472b93ebb5c7f dd80c98 Bytes-Used: 0 Container- Count: 0 Object- Count: 0 cb48a082- 0051923f3b
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e1
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-
X-Account-
Content-Type: text/html; charset=UTF-8
X-Account-
X-Trans-Id: tx390b2fb557fb4
Date: Tue, 14 May 2013 13:42:19 GMT
# Now let's try to disable that tenant
chmouel@vm:~$ keystone tenant-update --enabled false ${DEMO_TENANT}
# tenant is disabled all good ------- ------- ------- ------- --+---- ------- ------- --+---- -----+ ------- ------- ------- ------- --+---- ------- ------- --+---- -----+ 3966a4873877c4d de | admin | True | b93ebb5c7fdd80c 98 | demo | False | 998c4cd1f06e79b 1e | invisible_to_admin | True | 0acd0c89fb901a2 48 | service | True | ------- ------- ------- ------- --+---- ------- ------- --+---- -----+
chmouel@vm:~$ keystone tenant-list
+----
| id | name | enabled |
+----
| 1f1aeeace0db41e
| b39f8b007abe472
| 64e78275f80d47f
| 13fe49ee5e0144d
+----
# we still have access with that same token since it's properly in memcache 9bc45cc7780be9b 59' http:// 172.16. 129.140: 8080/v1/ AUTH_b39f8b007a be472b93ebb5c7f dd80c98 Bytes-Used: 0 Container- Count: 0 Object- Count: 0 304b13cb- 0051923f6f
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e1
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-
X-Account-
Content-Type: text/html; charset=UTF-8
X-Account-
X-Trans-Id: txf9d27a7a8a034
Date: Tue, 14 May 2013 13:43:11 GMT
# let's restart memcache to clear it d/memcached restart
chmouel@vm:~$ sudo /etc/init.
Restarting memcached: memcached.
# but we still have access. 9bc45cc7780be9b 59' http:// 172.16. 129.140: 8080/v1/ AUTH_b39f8b007a be472b93ebb5c7f dd80c98 Bytes-Used: 0 Container- Count: 0 Object- Count: 0 f6e98345- 0051923f97
chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e1
HTTP/1.1 204 No Content
Content-Length: 0
Accept-Ranges: bytes
X-Timestamp: 1368532646.31643
X-Account-
X-Account-
Content-Type: text/html; charset=UTF-8
X-Account-
X-Trans-Id: txbe0c0caf533a4
Date: Tue, 14 May 2013 13:43:51 GMT
the json reply when validating token says that the tenant is still
enabled even if it's disabled :
u'tenant': {u'description': None, u'enabled': True, u'id': e472b93ebb5c7fd d80c98' , u'name': u'demo'}}
u'b39f8b007ab
To manage notifications about this bug go to: /bugs.launchpad .net/keystone/ +bug/1179955/ +subscriptions
https:/