Unscoped tokens get revoked when adding a user to a project [closed]

asked 2013-04-17 07:31:16 -0600

pdeazeta gravatar image

updated 2014-05-01 15:01:49 -0600

rbowen gravatar image

Back in Folsom, when a user creates a project and add himself onto that project, only the scoped token gets revoked and then we reuse the unscoped token to reauthenticate so that the user won't be logged out of the system.

In grizzly, adding a user to a project would result to all his tokens being revoked even the unscoped ones. I've also tried Keystone V3 hoping that token scoping on domains would solve my problem but still the same thing happens

My test: Token: UUID I've created a bunch of tokens with different scopes, some scoped to domain and some with projects

mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
+---------------------------------------------------------+-------+
| id                                                                         | valid |
+---------------------------------------------------------+-------+
| 067bb96c5ee3491c916c4db73693dfff     |     1 |
| 3ba0ee57018c400f925d680068eb797e   |     1 |
| cdb6fe2a1d23477f8bb4339afc7ae2ec      |     1 |
| e0f66872d37b4c8bab41e63a35313867    |     1 |
+---------------------------------------------------------+-------+

--------> Then I added that user to a project

mysql> SELECT id, valid FROM token WHERE user_id = "b68e401ce94c4aefbe1b1699e5a62956" AND valid = 1;
Empty set (0.00 sec)

--------> All tokens no matter what scope became invalid

I need to verify if this is a bug or if this is how Keystone should actually work.

edit retag flag offensive reopen merge delete

Closed for the following reason question is not relevant or outdated by rbowen
close date 2014-06-11 14:31:31.428433

Comments

Trying to clean up some really old posts ... I wonder if you can confirm that this is still happening in more recent versions of Keystone?

rbowen gravatar imagerbowen ( 2014-05-01 15:02:54 -0600 )edit