Public bug reported: When an unassigned role is revoked on a group, it is revoking tokens for users with same role in the project.
Here is the scenario to reproduce it. 1. Create 'proj1', then create an admin role assignment for user 'user_admin' and viewer role for group 'grp_viewer' in proj1. 2. Run "openstack role remove admin --group grp_viewer --project proj1" to revoke non-existing admin role on grp_viewer, then all tokens in proj1 for admin role users will be revoked i.e. tokens created with user_admin are revoked. In token validation flow (in our case user_admin token), it is validating against revocation_event entries @https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L148 which is returning as revoked token because when role is revoked in step2 an entry is created in keystone.revocation_event table as shown below. [keystone]> select * from revocation_event; +----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+ | id | domain_id | project_id | user_id | role_id | trust_id | consumer_id | access_token_id | issued_before | expires_at | revoked_at | audit_id | audit_chain_id | +----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+ | 42 | NULL | b7f38f1af5304e2bb18737e6725f2f4a | NULL | f669540d3e11483ba1ce1e5de9412af0 | NULL | NULL | NULL | 2017-02-07 08:30:37 | NULL | 2017-02-07 08:30:37 | NULL | NULL | +----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+ token_data: { 'access_token_id': None, 'project_id': u 'b7f38f1af5304e2bb18737e6725f2f4a', 'user_id': u '0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9', 'roles': [u 'f669540d3e11483ba1ce1e5de9412af0'], 'audit_id': u 'wiwisOGMR1ONUKw8rgIgOw', 'trustee_id': None, 'trustor_id': None, 'expires_at': datetime.datetime(2017, 2, 7, 14, 19, 57), 'consumer_id': None, 'assignment_domain_id': u 'default', 'issued_at': datetime.datetime(2017, 2, 7, 8, 19, 57), 'identity_domain_id': u 'default', 'audit_chain_id': u 'wiwisOGMR1ONUKw8rgIgOw', 'trust_id': None } ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1662514 Title: Revoking a non-existing role revokes token for users of same role Status in OpenStack Identity (keystone): New Bug description: When an unassigned role is revoked on a group, it is revoking tokens for users with same role in the project. Here is the scenario to reproduce it. 1. Create 'proj1', then create an admin role assignment for user 'user_admin' and viewer role for group 'grp_viewer' in proj1. 2. Run "openstack role remove admin --group grp_viewer --project proj1" to revoke non-existing admin role on grp_viewer, then all tokens in proj1 for admin role users will be revoked i.e. tokens created with user_admin are revoked. In token validation flow (in our case user_admin token), it is validating against revocation_event entries @https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L148 which is returning as revoked token because when role is revoked in step2 an entry is created in keystone.revocation_event table as shown below. [keystone]> select * from revocation_event; +----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+ | id | domain_id | project_id | user_id | role_id | trust_id | consumer_id | access_token_id | issued_before | expires_at | revoked_at | audit_id | audit_chain_id | +----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+ | 42 | NULL | b7f38f1af5304e2bb18737e6725f2f4a | NULL | f669540d3e11483ba1ce1e5de9412af0 | NULL | NULL | NULL | 2017-02-07 08:30:37 | NULL | 2017-02-07 08:30:37 | NULL | NULL | +----+-----------+----------------------------------+---------+----------------------------------+----------+-------------+-----------------+---------------------+------------+---------------------+----------+----------------+ token_data: { 'access_token_id': None, 'project_id': u 'b7f38f1af5304e2bb18737e6725f2f4a', 'user_id': u '0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9', 'roles': [u 'f669540d3e11483ba1ce1e5de9412af0'], 'audit_id': u 'wiwisOGMR1ONUKw8rgIgOw', 'trustee_id': None, 'trustor_id': None, 'expires_at': datetime.datetime(2017, 2, 7, 14, 19, 57), 'consumer_id': None, 'assignment_domain_id': u 'default', 'issued_at': datetime.datetime(2017, 2, 7, 8, 19, 57), 'identity_domain_id': u 'default', 'audit_chain_id': u 'wiwisOGMR1ONUKw8rgIgOw', 'trust_id': None } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1662514/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp