OpenStack Identity (keystone)

Fernet tokens do not maintain expires time across rescope (V2 tokens)

Bug #1469563 reported by Morgan Fainberg on 2015-06-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Lance Bragstad	OpenStack Identity (keystone) 8.0.0 "liberty"
	Kilo	Fix Released	High	Dolph Mathews	OpenStack Identity (keystone) 2015.1.3

Bug Description

Fernet tokens do not maintain the expiration time when rescoping tokens.

Tags:

Morgan Fainberg (mdrnstm) on 2015-06-28

Changed in keystone:
status:	New → Triaged
importance:	Undecided → High
tags:	added: fernet
summary:	- Fernet tokens do not maintain expires time across rescope + Fernet tokens do not maintain expires time across rescope (V2 tokens)

OpenStack Infra (hudson-openstack) on 2015-06-28

Changed in keystone:
assignee:	nobody → Morgan Fainberg (mdrnstm)
status:	Triaged → In Progress

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-06-29:

I can reproduce this.

Here is an authentication response using passwordCredentials and the uuid provider: http://cdn.pasteraw.com/ve3ghqtx670q92a7tkz45lq4vzjrx7

Here is the response authenticating with the token above (rescoping): http://cdn.pasteraw.com/891ceexx0j1k5nom2muemdawdt4o6l2

The original token and the rescoped tokens both expire at 2015-06-29T15:59:21Z

The following is an authentication response using the fernet provider: http://cdn.pasteraw.com/8wtpp3b98ci647dgr5zg0j2py336tkb

The fernet token should expire at 2015-06-29T15:55:34.952246Z. The response from rescoping the fernet token bumps the expiration to 2015-06-29T15:56:09.663074Z : http://cdn.pasteraw.com/nud9m8000yyusa6ntqy2234ko8cnbwf

OpenStack Infra (hudson-openstack) on 2015-06-29

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → Lance Bragstad (lbragstad)

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-07-17:

https://review.openstack.org/#/c/192739/ includes a new test called test_rescoping_token() which should be triggering this behavior, but it's running into bug 1459790 instead of the issue described here, even when I add a time.sleep() to the parent class' test. The microseconds simply differ between a zero and non-zero value, because Fernet cannot persist microseconds.

If this issue is truly distinct from bug 1459790, how do we reproduce it that differs from test_rescoping_token()?

Doug Hellmann (doug-hellmann) on 2015-07-29

Changed in keystone:
milestone:	liberty-2 → liberty-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-18: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/196475
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e641c40b680bd4b68b5e319831c47473e6f7754e
Submitter: Jenkins
Branch: master

commit e641c40b680bd4b68b5e319831c47473e6f7754e
Author: Morgan Fainberg <email address hidden>
Date: Sun Jun 28 13:30:40 2015 -0700

Maintain the expiry of v2 fernet tokens

    The v2 fernet provider didn't carry the expiration of a token from it's
    parent token when handling a rescope. This means that a rescope of fernet
    tokens could extend the session indefinitely.

Change-Id: Id1ec725fd89cd32260b7be4eead24a0fc84abfe1
closes-bug: #1469563

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-19: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/214641

Doug Hellmann (doug-hellmann) on 2015-09-03

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-16: Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/214641
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8bd9b221807ffbce2a52861f14ecf503fdc644a6
Submitter: Jenkins
Branch: stable/kilo

commit 8bd9b221807ffbce2a52861f14ecf503fdc644a6
Author: Morgan Fainberg <email address hidden>
Date: Sun Jun 28 13:30:40 2015 -0700

Maintain the expiry of v2 fernet tokens

    The v2 fernet provider didn't carry the expiration of a token from it's
    parent token when handling a rescope. This means that a rescope of fernet
    tokens could extend the session indefinitely.

    Change-Id: Id1ec725fd89cd32260b7be4eead24a0fc84abfe1
    closes-bug: #1469563
    (cherry picked from commit e641c40b680bd4b68b5e319831c47473e6f7754e)

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-3 → 8.0.0
no longer affects:	keystone/liberty

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.