django-openstack-auth

token gets truncated with PKI tokens

Bug #1484499 reported by Matthias Runge on 2015-08-13

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	django-openstack-auth	Fix Released	High	Matthias Runge	django-openstack-auth 1.4.0 "1.4.0"

Bug Description

this is specific to PKI tokens

set up a user with 2 projects, log in that user into horizon

you'll see, the project switcher (in upper corner) is empty.

I can see a stack trace:
Unable to retrieve project list.
Traceback (most recent call last):
  File "/home/mrunge/work/django_openstack_auth/openstack_auth/user.py", line 310, in authorized_tenants
    is_federated=self.is_federated)
  File "/home/mrunge/work/django_openstack_auth/openstack_auth/utils.py", line 142, in wrapper
    result = func(*args, **kwargs)
  File "/home/mrunge/work/django_openstack_auth/openstack_auth/utils.py", line 259, in get_project_list
    projects = client.tenants.list()
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/tenants.py", line 123, in list
    tenant_list = self._list('/tenants%s' % query, 'tenants')
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 124, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 395, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-1fd4c0dc-ddad-4044-8bf8-7a19bc174f1c)

looking a bit more, the token seems to be way too short.

I tested with code having and not having commit:
https://github.com/openstack/django_openstack_auth/commit/1980c66952eae7016f80cc819f88e4ad9b099c65

Tags:

Revision history for this message

Matthias Runge (mrunge) wrote on 2015-08-13:

The line of code creating this Unauthorized code is: https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L253

summary:

- user tenants list not working
+ token gets truncated with PKI tokens

Matthias Runge (mrunge) on 2015-08-13

Changed in django-openstack-auth:
importance:	Undecided → High

Revision history for this message

Matthias Runge (mrunge) wrote on 2015-08-13:

horizon seems to use a hash of the token.

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2015-08-13:

Matthias: the bug I linked should resolve your issue.

Revision history for this message

Matthias Runge (mrunge) wrote on 2015-08-14:

Lin, it does not. As stated in first comment, it doesn't matter if you have that patch or not.

Revision history for this message

Matthias Runge (mrunge) wrote on 2015-08-14:

In fact, I'm using for the tests a database as session backend.
This issue goes away, when I'm setting

OPENSTACK_TOKEN_HASH_ENABLED = False

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-20: Fix proposed to django_openstack_auth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/215103

Changed in django-openstack-auth:
assignee:	nobody → Matthias Runge (mrunge)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-20: Fix merged to django_openstack_auth (master)

Reviewed: https://review.openstack.org/215103
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=aed28851b933a04dffcff70674f7afad84cb2d57
Submitter: Jenkins
Branch: master

commit aed28851b933a04dffcff70674f7afad84cb2d57
Author: Matthias Runge <email address hidden>
Date: Thu Aug 20 13:50:36 2015 +0200

initialize the hasher for unscoped token

    Using PKI tokens results in an empty
    projects list in horizon and a 403 error from
    keystone.

    Change-Id: If6853343125112340e447e760ee7d997e6e7384f
    Closes-Bug: #1484499
    Closes-Bug: #1486745

Changed in django-openstack-auth:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-20: Fix proposed to django_openstack_auth (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/215303

Matthias Runge (mrunge) on 2015-08-20

Changed in django-openstack-auth:
milestone:	none → 1.3.2

Sergey Lukjanov (slukjanov) on 2015-08-24

Changed in django-openstack-auth:
milestone:	none → 1.4.0
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-24: Fix merged to django_openstack_auth (stable/kilo)

Reviewed: https://review.openstack.org/215303
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=285e41674878e596b7162d3ba3c10a80c36430c9
Submitter: Jenkins
Branch: stable/kilo

commit 285e41674878e596b7162d3ba3c10a80c36430c9
Author: Matthias Runge <email address hidden>
Date: Thu Aug 20 13:50:36 2015 +0200

initialize the hasher for unscoped token

    Using PKI tokens results in an empty
    projects list in horizon and a 403 error from
    keystone.

    Change-Id: If6853343125112340e447e760ee7d997e6e7384f
    Closes-Bug: #1484499
    Closes-Bug: #1486745
    (cherry picked from commit aed28851b933a04dffcff70674f7afad84cb2d57)