token in the dynamic creds is not having all roles

opentelekomcloud / vault-plugin-secrets-openstack

Create OpenStack tokens using HashiCorp Vault

Apache License 2.0

23 stars 6 forks source link

token in the dynamic creds is not having all roles #107

Closed gtema closed 5 months ago

gtema commented 1 year ago

dynamic user created during requesting dynamic creds is placed into the desired user_group, but token does not have roles of this user_group

gtema commented 1 year ago

a new token retrieved from the token is having all roles as expected. Most likely this is caused by delays on identity which is not doing immediate group assignment (something like sleep 1s before getting token after placing user to the group)

lego963 commented 1 year ago

@gtema sleep is a bad practice, because we don't know how much time keystone needs to apply groups. Maybe we should add a WARN/INFO message in logs and in docs

gtema commented 1 year ago

yeah, but returning not what user is expecting is not much better. It was just a "statement" describing what may be an issue.

gtema commented 1 year ago

issue is that we can't even detect that easily, rather then going through all user groups, collecting their roles and verifying those are present in the token

artem-lifshits commented 1 year ago

Refers to: #106