From d1294d7e679460661b42af64c87480b429a3366c Mon Sep 17 00:00:00 2001 From: Shuicheng Lin Date: Wed, 18 Dec 2019 12:47:23 +0800 Subject: [PATCH] Update Keyring password info before sending out notification Need update password before send out notification. Otherwise, any process which monitors the "updated" notification will still get old password from Keyring. Partial-Bug: 1853017 Change-Id: Id1c94fedca41abe96c7b38880bf325d4a25a95eb Signed-off-by: Shuicheng Lin --- .../0001-Rebasing-Keyring-integration.patch | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch b/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch index b9ad336e..d9b87d5e 100644 --- a/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch +++ b/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch @@ -5,9 +5,9 @@ Subject: [PATCH 1/1] Rebasing Keyring integration --- keystone/exception.py | 6 ++++++ - keystone/identity/core.py | 50 +++++++++++++++++++++++++++++++++++++++++++++++ + keystone/identity/core.py | 54 +++++++++++++++++++++++++++++++++++++++++++++++ requirements.txt | 1 + - 3 files changed, 57 insertions(+) + 3 files changed, 61 insertions(+) diff --git a/keystone/exception.py b/keystone/exception.py index b85878b..56601ce 100644 @@ -73,21 +73,25 @@ index ed43e76..da7e7ba 100644 @domains_configured @exception_translated('user') def update_user(self, user_id, user_ref, initiator=None): -@@ -1113,6 +1135,13 @@ class Manager(manager.Manager): - ) - notifications.invalidate_token_cache_notification(reason) +@@ -1099,6 +1121,17 @@ class Manager(manager.Manager): + + ref = driver.update_user(entity_id, user) + # Certain local Keystone users are stored in Keystone as opposed + # to the default SQL Identity backend, such as the admin user. + # When its password is updated, we need to update Keyring as well + # as certain services retrieve this user context from Keyring and + # will get auth failures ++ # Need update password before send out notification. Otherwise, ++ # any process monitor the notification will still get old password ++ # from Keyring. + if ('password' in user) and ('name' in ref): + self._update_keyring_password(ref, user['password']) - return self._set_domain_id_and_mapping( - ref, domain_id, driver, mapping.EntityType.USER) ++ + notifications.Audit.updated(self._USER, user_id, initiator) -@@ -1128,6 +1157,7 @@ class Manager(manager.Manager): + enabled_change = ((user.get('enabled') is False) and +@@ -1128,6 +1161,7 @@ class Manager(manager.Manager): hints.add_filter('user_id', user_id) fed_users = PROVIDERS.shadow_users_api.list_federated_users_info(hints) @@ -95,7 +99,7 @@ index ed43e76..da7e7ba 100644 driver.delete_user(entity_id) PROVIDERS.assignment_api.delete_user_assignments(user_id) self.get_user.invalidate(self, user_id) -@@ -1141,6 +1171,18 @@ class Manager(manager.Manager): +@@ -1141,6 +1175,18 @@ class Manager(manager.Manager): PROVIDERS.credential_api.delete_credentials_for_user(user_id) PROVIDERS.id_mapping_api.delete_id_mapping(user_id) @@ -114,7 +118,7 @@ index ed43e76..da7e7ba 100644 notifications.Audit.deleted(self._USER, user_id, initiator) # Invalidate user role assignments cache region, as it may be caching -@@ -1390,6 +1432,14 @@ class Manager(manager.Manager): +@@ -1390,6 +1436,14 @@ class Manager(manager.Manager): notifications.Audit.updated(self._USER, user_id, initiator) self._persist_revocation_event_for_user(user_id)