Merge "Update Keyring password info before sending out notification"

2020-02-04 16:18:28 +00:00 · 2020-02-04 16:18:28 +00:00 · 160f415d29
parent 8c7def7074 d1294d7e67
commit 160f415d29
1 changed files with 14 additions and 10 deletions
--- a/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch
+++ b/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch
@ -5,9 +5,9 @@ Subject: [PATCH 1/1] Rebasing Keyring integration

 ---
 keystone/exception.py     |  6 ++++++
- keystone/identity/core.py | 50 +++++++++++++++++++++++++++++++++++++++++++++++
+ keystone/identity/core.py | 54 +++++++++++++++++++++++++++++++++++++++++++++++
 requirements.txt          |  1 +
- 3 files changed, 57 insertions(+)
+ 3 files changed, 61 insertions(+)

 diff --git a/keystone/exception.py b/keystone/exception.py
 index b85878b..56601ce 100644
@ -73,21 +73,25 @@ index ed43e76..da7e7ba 100644
     @domains_configured
     @exception_translated('user')
     def update_user(self, user_id, user_ref, initiator=None):
-@@ -1113,6 +1135,13 @@ class Manager(manager.Manager):
-             )
-             notifications.invalidate_token_cache_notification(reason)
+@@ -1099,6 +1121,17 @@ class Manager(manager.Manager):
+ 
+         ref = driver.update_user(entity_id, user)
 
 +        # Certain local Keystone users are stored in Keystone as opposed
 +        # to the default SQL Identity backend, such as the admin user.
 +        # When its password is updated, we need to update Keyring as well
 +        # as certain services retrieve this user context from Keyring and
 +        # will get auth failures
+        # Need update password before send out notification. Otherwise,
+        # any process monitor the notification will still get old password
+        # from Keyring.
 +        if ('password' in user) and ('name' in ref):
 +            self._update_keyring_password(ref, user['password'])
-         return self._set_domain_id_and_mapping(
-             ref, domain_id, driver, mapping.EntityType.USER)
+
+         notifications.Audit.updated(self._USER, user_id, initiator)
 
-@@ -1128,6 +1157,7 @@ class Manager(manager.Manager):
+         enabled_change = ((user.get('enabled') is False) and
+@@ -1128,6 +1161,7 @@ class Manager(manager.Manager):
         hints.add_filter('user_id', user_id)
         fed_users = PROVIDERS.shadow_users_api.list_federated_users_info(hints)
 
@ -95,7 +99,7 @@ index ed43e76..da7e7ba 100644
         driver.delete_user(entity_id)
         PROVIDERS.assignment_api.delete_user_assignments(user_id)
         self.get_user.invalidate(self, user_id)
-@@ -1141,6 +1171,18 @@ class Manager(manager.Manager):
+@@ -1141,6 +1175,18 @@ class Manager(manager.Manager):
 
         PROVIDERS.credential_api.delete_credentials_for_user(user_id)
         PROVIDERS.id_mapping_api.delete_id_mapping(user_id)
@ -114,7 +118,7 @@ index ed43e76..da7e7ba 100644
         notifications.Audit.deleted(self._USER, user_id, initiator)
 
         # Invalidate user role assignments cache region, as it may be caching
-@@ -1390,6 +1432,14 @@ class Manager(manager.Manager):
+@@ -1390,6 +1436,14 @@ class Manager(manager.Manager):
         notifications.Audit.updated(self._USER, user_id, initiator)
         self._persist_revocation_event_for_user(user_id)