Update Keyring password info before sending out notification

Need update password before send out notification. Otherwise, any
process which monitors the "updated" notification will still get old
password from Keyring.

Partial-Bug: 1853017

Change-Id: Id1c94fedca41abe96c7b38880bf325d4a25a95eb
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
This commit is contained in:
Shuicheng Lin 2019-12-18 12:47:23 +08:00
parent 9765445751
commit d1294d7e67

View File

@ -5,9 +5,9 @@ Subject: [PATCH 1/1] Rebasing Keyring integration
--- ---
keystone/exception.py | 6 ++++++ keystone/exception.py | 6 ++++++
keystone/identity/core.py | 50 +++++++++++++++++++++++++++++++++++++++++++++++ keystone/identity/core.py | 54 +++++++++++++++++++++++++++++++++++++++++++++++
requirements.txt | 1 + requirements.txt | 1 +
3 files changed, 57 insertions(+) 3 files changed, 61 insertions(+)
diff --git a/keystone/exception.py b/keystone/exception.py diff --git a/keystone/exception.py b/keystone/exception.py
index b85878b..56601ce 100644 index b85878b..56601ce 100644
@ -73,21 +73,25 @@ index ed43e76..da7e7ba 100644
@domains_configured @domains_configured
@exception_translated('user') @exception_translated('user')
def update_user(self, user_id, user_ref, initiator=None): def update_user(self, user_id, user_ref, initiator=None):
@@ -1113,6 +1135,13 @@ class Manager(manager.Manager): @@ -1099,6 +1121,17 @@ class Manager(manager.Manager):
)
notifications.invalidate_token_cache_notification(reason) ref = driver.update_user(entity_id, user)
+ # Certain local Keystone users are stored in Keystone as opposed + # Certain local Keystone users are stored in Keystone as opposed
+ # to the default SQL Identity backend, such as the admin user. + # to the default SQL Identity backend, such as the admin user.
+ # When its password is updated, we need to update Keyring as well + # When its password is updated, we need to update Keyring as well
+ # as certain services retrieve this user context from Keyring and + # as certain services retrieve this user context from Keyring and
+ # will get auth failures + # will get auth failures
+ # Need update password before send out notification. Otherwise,
+ # any process monitor the notification will still get old password
+ # from Keyring.
+ if ('password' in user) and ('name' in ref): + if ('password' in user) and ('name' in ref):
+ self._update_keyring_password(ref, user['password']) + self._update_keyring_password(ref, user['password'])
return self._set_domain_id_and_mapping( +
ref, domain_id, driver, mapping.EntityType.USER) notifications.Audit.updated(self._USER, user_id, initiator)
@@ -1128,6 +1157,7 @@ class Manager(manager.Manager): enabled_change = ((user.get('enabled') is False) and
@@ -1128,6 +1161,7 @@ class Manager(manager.Manager):
hints.add_filter('user_id', user_id) hints.add_filter('user_id', user_id)
fed_users = PROVIDERS.shadow_users_api.list_federated_users_info(hints) fed_users = PROVIDERS.shadow_users_api.list_federated_users_info(hints)
@ -95,7 +99,7 @@ index ed43e76..da7e7ba 100644
driver.delete_user(entity_id) driver.delete_user(entity_id)
PROVIDERS.assignment_api.delete_user_assignments(user_id) PROVIDERS.assignment_api.delete_user_assignments(user_id)
self.get_user.invalidate(self, user_id) self.get_user.invalidate(self, user_id)
@@ -1141,6 +1171,18 @@ class Manager(manager.Manager): @@ -1141,6 +1175,18 @@ class Manager(manager.Manager):
PROVIDERS.credential_api.delete_credentials_for_user(user_id) PROVIDERS.credential_api.delete_credentials_for_user(user_id)
PROVIDERS.id_mapping_api.delete_id_mapping(user_id) PROVIDERS.id_mapping_api.delete_id_mapping(user_id)
@ -114,7 +118,7 @@ index ed43e76..da7e7ba 100644
notifications.Audit.deleted(self._USER, user_id, initiator) notifications.Audit.deleted(self._USER, user_id, initiator)
# Invalidate user role assignments cache region, as it may be caching # Invalidate user role assignments cache region, as it may be caching
@@ -1390,6 +1432,14 @@ class Manager(manager.Manager): @@ -1390,6 +1436,14 @@ class Manager(manager.Manager):
notifications.Audit.updated(self._USER, user_id, initiator) notifications.Audit.updated(self._USER, user_id, initiator)
self._persist_revocation_event_for_user(user_id) self._persist_revocation_event_for_user(user_id)