OpenStack Identity (keystone)

Need a test to verify token's do not get data creep

Bug #1224273 reported by Morgan Fainberg
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Lance Bragstad
OpenStack Identity (keystone) mitaka-3 "m3"

Bug Description

Keystone needs a test that can verify that across the many changes we do not end up growing our token's data scope without explicit knowledge. The basic reasoning is to ensure that we can keep track of all the elements in a given token version and easily see when that has changed.

Currently there are checks to verify some token data is there, but there are no checks to verify that tokens don't end up with unknown/extra data. There seems to be a lot of duplicate data in the tokens at this point. This duplication of data should be kept to a minimum.

This will also help us to define the token specification and keep that explicit specification up to date. This specification can be used by developers to accurately predict what is guaranteed to be in every token and pull the data from the correct location.

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
Adam Young (ayoung) wrote :

what data are you trying to limit? An unscoepd token can become ascoped, and vice versa, which means that this is already happening. Beyond that we have catalog data in the token.

Changed in keystone:
assignee: nobody → Morgan Fainberg (mdrnstm)
status: New → Incomplete
Revision history for this message
Dolph Mathews (dolph) wrote :

Non-contract attributes that are leaked from the backend implementation like "extra" and "metadata" and "is_admin" and "legacy_endpoint_id". Those are all implementation-specific details that were never meant to be exposed to the HTTP API.

Changed in keystone:
status: Incomplete → Triaged
Revision history for this message
Dolph Mathews (dolph) wrote :

Unassigning due to inactivity.

Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → nobody
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/253669

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/253670

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/253671

Lance Bragstad (lbragstad)
tags: added: test-improvement
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/254258

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/253669
Reason: abandoning this in favor of - https://review.openstack.org/#/c/254258/

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Brant Knudson (blk-u)
Brant Knudson (blk-u)
Changed in keystone:
assignee: Brant Knudson (blk-u) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/254258
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1ad62ef692b43b28fb96b79a3698bd2a5be85015
Submitter: Jenkins
Branch: master

commit 1ad62ef692b43b28fb96b79a3698bd2a5be85015
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 7 15:38:00 2015 +0000

    Add checks for token data creep using jsonschema

    Previously, the assertValidUnscopedTokenResponse method only
    ensured specific attributes were in the token response. These
    checks didn't ensure that the token scope never grew.

    This change makes it so that the assertion will fail if extra
    attributes are added to the token response. This should help
    us be more aware of changes that have token response data
    creep by building the check into the tests.

    This is implemented using the existing jsonschema work that
    keystone has for validating API requests.

    Change-Id: I15acd58a9efaac65ba066fbb7b81f15797b6573c
    Partial-Bug: 1224273

Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → mitaka-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/253671
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8a5343c8c219b011d122d3d8951ad541358887be
Submitter: Jenkins
Branch: master

commit 8a5343c8c219b011d122d3d8951ad541358887be
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 7 22:21:36 2015 +0000

    Add checks for domain scoped data creep

    Previously, the assertValidDomainScopedTokenResponse method only ensured
    specific attributes were in the token response. These checks didn't ensure
    that the token scope never grew.

    This change makes it so that the assertion will fail if extra attributes are
    added to the token response. This should help us be more aware of changes that
    have token response data creep by building the check into the tests.

    Change-Id: I43c86837f465f813da0985033a5af9d15d76eddc
    Partial-Bug: 1224273

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/253670
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fe14d330c7a5528a7a78c0445567845d62d3b2c0
Submitter: Jenkins
Branch: master

commit fe14d330c7a5528a7a78c0445567845d62d3b2c0
Author: Lance Bragstad <email address hidden>
Date: Mon Dec 7 22:41:57 2015 +0000

    Add checks for project scoped data creep to tests

    Previously, the assertValidProjectScopedTokenResponse method only ensured
    specific attributes were in the token response. These checks didn't ensure
    that the token scope never grew.

    This change makes it so that the assertion will fail if extra attributes are
    added to the token response. This should help us be more aware of changes that
    have token response data creep by building the check into the tests.

    Change-Id: I4ebb86af973ed6af001373756a69af9586bdefcf
    Closes-Bug: 1224273

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b3

This issue was fixed in the openstack/keystone 9.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.