OpenStack Identity (keystone)

Bug #1179955
Comment #5

Comment 5 for bug 1179955

Revision history for this message

Malini Bhandaru (malini-k-bhandaru) wrote on 2013-06-04: RE: [Bug 1179955] Re: Disabling a tenant would not disable a user token

If the token is tenant scoped .. would make sense to disable token?

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Dolph Mathews
Sent: Tuesday, June 04, 2013 2:21 PM
To: Bhandaru, Malini K
Subject: [Bug 1179955] Re: Disabling a tenant would not disable a user token

satya-patibandla: didn't mean to hijack this if you have a solution. I just wanted to put tests up to demonstrate

--
You received this bug notification because you are subscribed to Keystone.
Matching subscriptions: keystone
https://bugs.launchpad.net/bugs/1179955

Title:
Disabling a tenant would not disable a user token

Status in OpenStack Identity (Keystone):
In Progress

Bug description:
  Using keystone/python-keystoneclient master as of today when disabling
  a tenant would not disable the users attached to the and would still
  have access.

I would not mind to fix it but I want to make sure first if this is
something done by design or I am missing something.

Here is a transcript of my tests :

# Let's store the DEMO_TENANT_ID for later
chmouel@vm:~$ DEMO_TENANT=b39f8b007abe472b93ebb5c7fdd80c98

  # getting a token with this script available here http://p.chmouel.com/ks which
  chmouel@vm:~$ ks localhost demo:demo ADMIN
  [...]

  # Using the token I can access to my swift account properly all good here.
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: tx390b2fb557fb4cb48a082-0051923f3b
  Date: Tue, 14 May 2013 13:42:19 GMT

# Now let's try to disable that tenant
chmouel@vm:~$ keystone tenant-update --enabled false ${DEMO_TENANT}

  # we still have access with that same token since it's properly in memcache
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: txf9d27a7a8a034304b13cb-0051923f6f
  Date: Tue, 14 May 2013 13:43:11 GMT

  # let's restart memcache to clear it
  chmouel@vm:~$ sudo /etc/init.d/memcached restart
  Restarting memcached: memcached.

  # but we still have access.
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: txbe0c0caf533a4f6e98345-0051923f97
  Date: Tue, 14 May 2013 13:43:51 GMT

the json reply when validating token says that the tenant is still
enabled even if it's disabled :

u'tenant': {u'description': None, u'enabled': True, u'id':
u'b39f8b007abe472b93ebb5c7fdd80c98', u'name': u'demo'}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179955/+subscriptions

If the token is tenant scoped .. would make sense to disable token?

-----Original Message-----
From: bounces@canonical.com [mailto:bounces@canonical.com] On Behalf Of Dolph Mathews
Sent: Tuesday, June 04, 2013 2:21 PM
To: Bhandaru, Malini K
Subject: [Bug 1179955] Re: Disabling a tenant would not disable a user token

satya-patibandla: didn't mean to hijack this if you have a solution. I just wanted to put tests up to demonstrate

--
You received this bug notification because you are subscribed to Keystone.
Matching subscriptions: keystone
https://bugs.launchpad.net/bugs/1179955

Title:
  Disabling a tenant would not disable a user token

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  Using keystone/python-keystoneclient master as of today when disabling
  a tenant would not disable the users attached to the and would still
  have access.

I would not mind to fix it but I want to make sure first if this is
  something done by design or I am missing something.

Here is a transcript of my tests :

# Let's store the DEMO_TENANT_ID for later
  chmouel@vm:~$ DEMO_TENANT=b39f8b007abe472b93ebb5c7fdd80c98

# getting a token with this script available here http://p.chmouel.com/ks which
  chmouel@vm:~$ ks localhost demo:demo ADMIN
  [...]

# Using the token I can access to my swift account properly all good here. 
  chmouel@vm:~$ curl -i -H 'X-Auth-Token: b4b6fb5426914e19bc45cc7780be9b59' http://172.16.129.140:8080/v1/AUTH_b39f8b007abe472b93ebb5c7fdd80c98
  HTTP/1.1 204 No Content
  Content-Length: 0
  Accept-Ranges: bytes
  X-Timestamp: 1368532646.31643
  X-Account-Bytes-Used: 0
  X-Account-Container-Count: 0
  Content-Type: text/html; charset=UTF-8
  X-Account-Object-Count: 0
  X-Trans-Id: tx390b2fb557fb4cb48a082-0051923f3b
  Date: Tue, 14 May 2013 13:42:19 GMT

# Now let's try to disable that tenant
  chmouel@vm:~$ keystone tenant-update --enabled false ${DEMO_TENANT}

# let's restart memcache to clear it
  chmouel@vm:~$ sudo /etc/init.d/memcached restart
  Restarting memcached: memcached.

the json reply when validating token says that the tenant is  still
  enabled even if it's disabled :

u'tenant': {u'description': None, u'enabled': True, u'id':
  u'b39f8b007abe472b93ebb5c7fdd80c98', u'name': u'demo'}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179955/+subscriptions