Update Keyring password info before sending out notification

Need update password before send out notification. Otherwise, any process which monitors the "updated" notification will still get old password from Keyring. Partial-Bug: 1853017 Partial-Bug: 1853093 Change-Id: Id1c94fedca41abe96c7b38880bf325d4a25a95eb Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com> (cherry picked from commit d1294d7e67)
2019-12-18 12:47:23 +08:00 · 2019-12-18 12:47:23 +08:00 · dfe155136d
parent 98b288dd13
commit dfe155136d
1 changed files with 14 additions and 10 deletions
--- a/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch
+++ b/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch
@ -5,9 +5,9 @@ Subject: [PATCH 1/1] Rebasing Keyring integration

 ---
 keystone/exception.py     |  6 ++++++
- keystone/identity/core.py | 50 +++++++++++++++++++++++++++++++++++++++++++++++
+ keystone/identity/core.py | 54 +++++++++++++++++++++++++++++++++++++++++++++++
 requirements.txt          |  1 +
- 3 files changed, 57 insertions(+)
+ 3 files changed, 61 insertions(+)

 diff --git a/keystone/exception.py b/keystone/exception.py
 index b85878b..56601ce 100644
@ -73,21 +73,25 @@ index ed43e76..da7e7ba 100644
     @domains_configured
     @exception_translated('user')
     def update_user(self, user_id, user_ref, initiator=None):
-@@ -1113,6 +1135,13 @@ class Manager(manager.Manager):
-             )
-             notifications.invalidate_token_cache_notification(reason)
+@@ -1099,6 +1121,17 @@ class Manager(manager.Manager):
+ 
+         ref = driver.update_user(entity_id, user)
 
 +        # Certain local Keystone users are stored in Keystone as opposed
 +        # to the default SQL Identity backend, such as the admin user.
 +        # When its password is updated, we need to update Keyring as well
 +        # as certain services retrieve this user context from Keyring and
 +        # will get auth failures
+        # Need update password before send out notification. Otherwise,
+        # any process monitor the notification will still get old password
+        # from Keyring.
 +        if ('password' in user) and ('name' in ref):
 +            self._update_keyring_password(ref, user['password'])
-         return self._set_domain_id_and_mapping(
-             ref, domain_id, driver, mapping.EntityType.USER)
+
+         notifications.Audit.updated(self._USER, user_id, initiator)
 
-@@ -1128,6 +1157,7 @@ class Manager(manager.Manager):
+         enabled_change = ((user.get('enabled') is False) and
+@@ -1128,6 +1161,7 @@ class Manager(manager.Manager):
         hints.add_filter('user_id', user_id)
         fed_users = PROVIDERS.shadow_users_api.list_federated_users_info(hints)
 
@ -95,7 +99,7 @@ index ed43e76..da7e7ba 100644
         driver.delete_user(entity_id)
         PROVIDERS.assignment_api.delete_user_assignments(user_id)
         self.get_user.invalidate(self, user_id)
-@@ -1141,6 +1171,18 @@ class Manager(manager.Manager):
+@@ -1141,6 +1175,18 @@ class Manager(manager.Manager):
 
         PROVIDERS.credential_api.delete_credentials_for_user(user_id)
         PROVIDERS.id_mapping_api.delete_id_mapping(user_id)
@ -114,7 +118,7 @@ index ed43e76..da7e7ba 100644
         notifications.Audit.deleted(self._USER, user_id, initiator)
 
         # Invalidate user role assignments cache region, as it may be caching
-@@ -1390,6 +1432,14 @@ class Manager(manager.Manager):
+@@ -1390,6 +1436,14 @@ class Manager(manager.Manager):
         notifications.Audit.updated(self._USER, user_id, initiator)
         self._persist_revocation_event_for_user(user_id)