OpenStack Identity (keystone)

helpless exception message

Bug #1472987 reported by Dave Chen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Dave Chen
OpenStack Identity (keystone) 8.0.0 "liberty"

Bug Description

When there is an invalid token in use, keystone will throw exception.UnsupportedTokenVersionException, currently, there is no useful information provided and user don't know what's happened, see the following error message.

CLI,
/usr/local/lib/python2.7/dist-packages/keystoneclient/shell.py:64: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
An unexpected error prevented the server from fulfilling your request: (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-b116d6e4-336a-48d0-9a00-939249ac5b1a)

keystone.log,
2015-07-09 17:19:27.034038 14283 ERROR keystone.common.wsgi [-]
2015-07-09 17:19:27.034047 14283 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-07-09 17:19:27.034049 14283 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 463, in __call__
2015-07-09 17:19:27.034051 14283 TRACE keystone.common.wsgi response = self.process_request(request)
2015-07-09 17:19:27.034053 14283 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/core.py", line 209, in process_request
2015-07-09 17:19:27.034055 14283 TRACE keystone.common.wsgi auth_context = self._build_auth_context(request)
2015-07-09 17:19:27.034057 14283 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/core.py", line 189, in _build_auth_context
2015-07-09 17:19:27.034059 14283 TRACE keystone.common.wsgi token_data=self.token_provider_api.validate_token(token_id))
2015-07-09 17:19:27.034061 14283 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/models/token_model.py", line 59, in __init__
2015-07-09 17:19:27.034063 14283 TRACE keystone.common.wsgi raise exception.UnsupportedTokenVersionException()
2015-07-09 17:19:27.034065 14283 TRACE keystone.common.wsgi UnsupportedTokenVersionException
2015-07-09 17:19:27.034067 14283 TRACE keystone.common.wsgi

We can provide some information to end user, so the user knows what's happened and going to fix it.

See original description
Ruud (ruud800)
Changed in keystone:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/199989

Changed in keystone:
assignee: nobody → Dave Chen (wei-d-chen)
status: Confirmed → In Progress
Dave Chen (wei-d-chen)
description: updated
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Low
tags: added: user-experience
Revision history for this message
Brant Knudson (blk-u) wrote :

How do I recreate this? When I pass an invalid token ID to keystone it returns 401, not 500.

$ curl -H "X-Auth-Token: dsajflkdsajfds" http://localhost:5000/v3/users
{"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}

Revision history for this message
Brant Knudson (blk-u) wrote :

The server shouldn't return a 500 error in this case it should be a 401.

Revision history for this message
Dave Chen (wei-d-chen) wrote :

Hi Brant, These nasty error message was found when I happeded to try to hack a token in the DB but missed some fields.

you can reproduce in this way,
update a valid token to remove the token method, I just use V2 token in my side, so in the 'extra' field of token it's "methods": ["password"], then using this token will hit this issue both in the cli or keystone.log

$ curl -g -i -X GET http://10.239.159.101:35357/v3/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: d59606e42356407e88428bba0a74f8fc"
HTTP/1.1 500 Internal Server Error
Date: Fri, 10 Jul 2015 12:57:50 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
x-openstack-request-id: req-22ece275-92e8-4d59-b8dc-8e94055ac7e9
Content-Length: 192
Connection: close
Content-Type: application/json

{"error": {"message": "An unexpected error prevented the server from fulfilling your request: (Disable debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}

see code: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L473-L477

Revision history for this message
Brant Knudson (blk-u) wrote :

We don't support hacking tokens in the DB.

Revision history for this message
Dave Chen (wei-d-chen) wrote :

Thanks Brant, I agree hack a token is not the correct behavior, it must not. But when this happened and something is not as we expected, should we care about them? from QA's view, I think we should, since this kinds of testing is a general methodology they use.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/199989
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a62e5b18eaf731b584214dc80ff29749acabd51f
Submitter: Jenkins
Branch: master

commit a62e5b18eaf731b584214dc80ff29749acabd51f
Author: Dave Chen <email address hidden>
Date: Thu Jul 9 17:45:51 2015 +0800

    Give some message when an invalid token is in use

    Give some message when an invalid token is in use (UnsupportedTokenVersionException
    is thrown in this case), so end user will know what's happened.

    Change-Id: Iba33485b65a334ef1ef8a9b35717af6ba2b7bf5b
    Closes-Bug: #1472987

Changed in keystone:
status: In Progress → Fix Committed
Doug Hellmann (doug-hellmann)
Changed in keystone:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: liberty-3 → 8.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.