Public bug reported: I have noticed in keystone code, that update_domain and update_project methods in assignment_api Manager invalidate cache for get_*_by_name() using new name, not the old one.
For example in update_domain() if you are changing domain name from 'OldName' to 'NewName', get_domain_by_name.invalidate() is called with 'NewName' as argument. See: https://github.com/openstack/keystone/blob/1e948043fe2456bd91b398317c71c665d69e9935/keystone/assignment/core.py#L320 As a result the old name can be used in some requests until cache record is expired. For example if you rename a domain, old name can still be used for the authentication (note, caching should be enabled in keystone configuration): 1. Define domain by its name during login: curl -X POST -H 'Content-type: application/json' -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"name":"Alice","domain":{"name": "OldName"}, "password":"A12345678"}}}}}' -v http://192.168.56.101:5000/v3/auth/tokens 2. Change domain name: curl -X PATCH -H 'Content-type: application/json' -H 'X-Auth-Token: indigitus' -d '{"domain":{"name":"NewName"}}' http://192.168.56.101:5000/v3/domains/7e0629d4e31b4c5591a4a10d0b8931df 3. Login using old domain name (copy command from step 1). As a result Alice will be logged in, even though domain name specified is not available anymore. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1311142 Title: Cache records for get_*_by_name are not invalidated on entity rename Status in OpenStack Identity (Keystone): New Bug description: I have noticed in keystone code, that update_domain and update_project methods in assignment_api Manager invalidate cache for get_*_by_name() using new name, not the old one. For example in update_domain() if you are changing domain name from 'OldName' to 'NewName', get_domain_by_name.invalidate() is called with 'NewName' as argument. See: https://github.com/openstack/keystone/blob/1e948043fe2456bd91b398317c71c665d69e9935/keystone/assignment/core.py#L320 As a result the old name can be used in some requests until cache record is expired. For example if you rename a domain, old name can still be used for the authentication (note, caching should be enabled in keystone configuration): 1. Define domain by its name during login: curl -X POST -H 'Content-type: application/json' -d '{"auth":{"identity":{"methods":["password"], "password":{"user":{"name":"Alice","domain":{"name": "OldName"}, "password":"A12345678"}}}}}' -v http://192.168.56.101:5000/v3/auth/tokens 2. Change domain name: curl -X PATCH -H 'Content-type: application/json' -H 'X-Auth-Token: indigitus' -d '{"domain":{"name":"NewName"}}' http://192.168.56.101:5000/v3/domains/7e0629d4e31b4c5591a4a10d0b8931df 3. Login using old domain name (copy command from step 1). As a result Alice will be logged in, even though domain name specified is not available anymore. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1311142/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp