OpenStack Dashboard (Horizon)

can not login to Dashboard on devstack

Bug #1331406 reported by Pavlo Shchelokovskyy on 2014-06-18

This bug affects 7 people

	Status	Importance	Assigned to	Milestone
OpenStack Dashboard (Horizon)	Invalid	Critical	Unassigned
OpenStack Identity (keystone)	Invalid	Critical	Adam Young
django-openstack-auth	Fix Released	Critical	Adam Young	django-openstack-auth 1.1.6

Bug Description

Using fresh master of devstack and fresh masters of all services.

When I try to login into the Dashboard, I do not leave the login page (as if nothing happened, no error displayed). Strangely the screen log for horizon service in devstack displays

[Wed Jun 18 10:09:46.533780 2014] [:error] [pid 24605:tid 139679844230912] INFO:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.122.162
[Wed Jun 18 10:09:46.535449 2014] [:error] [pid 24605:tid 139679844230912] DEBUG:urllib3.connectionpool:Setting read timeout to None
[Wed Jun 18 10:09:46.623021 2014] [:error] [pid 24605:tid 139679844230912] DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 1352
[Wed Jun 18 10:09:46.633130 2014] [:error] [pid 24605:tid 139679844230912] INFO:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.122.162
[Wed Jun 18 10:09:46.633459 2014] [:error] [pid 24605:tid 139679844230912] DEBUG:urllib3.connectionpool:Setting read timeout to None
[Wed Jun 18 10:09:46.652504 2014] [:error] [pid 24605:tid 139679844230912] DEBUG:urllib3.connectionpool:"GET /v2.0/tenants HTTP/1.1" 200 244
[Wed Jun 18 10:09:46.654398 2014] [:error] [pid 24605:tid 139679844230912] INFO:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.122.162
[Wed Jun 18 10:09:46.654701 2014] [:error] [pid 24605:tid 139679844230912] DEBUG:urllib3.connectionpool:Setting read timeout to None
[Wed Jun 18 10:09:46.750292 2014] [:error] [pid 24605:tid 139679844230912] DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 7457
[Wed Jun 18 10:09:46.753146 2014] [:error] [pid 24605:tid 139679844230912] Login successful for user "demo".
[Wed Jun 18 10:09:46.753354 2014] [:error] [pid 24605:tid 139679844230912] DeprecationWarning: check_for_test_cookie is deprecated; ensure your login view is CSRF-protected.
[Wed Jun 18 10:09:46.753396 2014] [:error] [pid 24605:tid 139679844230912] WARNING:py.warnings:DeprecationWarning: check_for_test_cookie is deprecated; ensure your login view is CSRF-protected.

Note the "Login successful" line. All the OS cli clients work as expected with the same credentials I use to login.

Darragh O'Reilly (darragh-oreilly) on 2014-06-18

Changed in horizon:
status:	New → Confirmed

Revision history for this message

Ana Krivokapić (akrivoka) wrote on 2014-06-18:

I ran git bisect on keystone and turns out the culprit is the commit ed13c0e5d4ceb55a1180e2818a425dc6c60420a9 (before that one logging into Horizon works fine).

Revision history for this message

Ana Krivokapić (akrivoka) wrote on 2014-06-18:

Sorry, I pasted a wrong hash in the previous comment. This is the keystone commit which is at fault:

21bf6c7fdae14a5e2143c3bad4914e30c982f5d4 (Default to PKIZ tokens)

Changed in horizon:
importance:	Undecided → Critical

Dolph Mathews (dolph) on 2014-06-18

Changed in keystone:
importance:	Undecided → Critical
status:	New → Triaged

Adam Young (ayoung) on 2014-06-19

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Revision history for this message

Adam Young (ayoung) wrote on 2014-06-19:

Problem is in django-openstack-auth: hardcoded to only deal with PKI tokens (is_asn1) and not PKIZ tokens, so it doesn't know to hash them

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-06-19:

This isn't a bug with Keystone, it was raised by keystone changing the token format to not match the is_asn1_token check. Because this check failed the length of the token id exceeded the key size limitation for the session. The fix is to not check if the token is ASN1 before hashing, but to hash if the token length is > maximuma llowable size.

Changed in keystone:
status:	Triaged → Invalid

Revision history for this message

Adam Young (ayoung) wrote on 2014-06-19:

django_openstack_auth-ayoung-0000-Hash-tokens-for-all-known-PKI-forms.patch Edit (3.1 KiB, text/plain)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-19: Fix proposed to django_openstack_auth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/101089

Changed in django-openstack-auth:
assignee:	nobody → Morgan Fainberg (mdrnstm)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-19:

Fix proposed to branch: master
Review: https://review.openstack.org/101360

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-20: Change abandoned on django_openstack_auth (master)

Change abandoned by ayoung (<email address hidden>) on branch: master
Review: https://review.openstack.org/101360
Reason: Duplicate

Changed in django-openstack-auth:
assignee:	Morgan Fainberg (mdrnstm) → Adam Young (ayoung)

Julie Pichon (jpichon) on 2014-06-20

Changed in django-openstack-auth:
importance:	Undecided → Critical

Revision history for this message

Julie Pichon (jpichon) wrote on 2014-06-20:

A temporary workaround while waiting for the patch to land and be released is to set the provider back to keystone.token.providers.pki.Provider or keystone.token.providers.uuid.Provider, in the Keystone.conf for the provider setting: https://github.com/openstack/keystone/blob/e03c7af51c/etc/keystone.conf.sample#L1314 (thanks to Morgan for the helpful tips!). I tested with PKI and UUID and it does resolve the login issue.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-20: Fix merged to django_openstack_auth (master)

#10

Reviewed: https://review.openstack.org/101089
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=ff6188c7fe41ec2eb38b7159758a5f1e4da401e4
Submitter: Jenkins
Branch: master

commit ff6188c7fe41ec2eb38b7159758a5f1e4da401e4
Author: Adam Young <email address hidden>
Date: Wed Jun 18 23:20:02 2014 -0400

Hash the token id if it is over a maximum length

    Instead of exclusively hashing the token id based on if the token is
    ASN1, hash the id if it exceeds the maximum size allowed within the
    session. Keystone has allowed more than simple PKI and UUID tokens so
    the is_asn1_token check will not catch all cases.

Closes-Bug: 1331406

Change-Id: I7891eb3fb35a10926ac16829eed0ff8c306f2661

Changed in django-openstack-auth:
status:	In Progress → Fix Committed

David Lyle (david-lyle) on 2014-06-21

Changed in django-openstack-auth:
status:	Fix Committed → Fix Released

Revision history for this message

David Lyle (david-lyle) wrote on 2014-06-23:

#11

While this effects Horizon the problem was in django_openstack_auth and a fix has been released

Changed in horizon:
status:	Confirmed → Invalid

Akihiro Motoki (amotoki) on 2014-09-01

Changed in django-openstack-auth:
milestone:	none → 1.1.6

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1333528

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

django_openstack_auth-ayoung-0000-Hash-tokens-for-all-known-PKI-forms.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.