Cannot use trusts with fernet tokens
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Boris Bobrov | ||
Bug Description
Master, devstack (installed today).
1. Enable fernet tokens in Keystone
2. Add the following lib to glance/common/ folder:
http://
3. Replace upload method in glance/
http://
NOTE: it is just example of the code to demonstrate that fernet tokens can't work well with trusts.
4. Restart glance
5. Try to upload any image.
You will get the following error when deleting the trust: http://
When you try to upload big image that requires more than hour (or reduce token expiration)
you will get the following: http://
Apparently, refreshed token rejected by keystone-
I faced with the issue when implementing trusts for Glance but it seems that Heat and other services have the same troubles.
UUID tokens works as expected.
| summary: |
- Cannot delete trust when using fernet tokens + Cannot use trusts with fernet tokens |
| tags: | added: fernet |
| Lance Bragstad (lbragstad) wrote | #1 |
| Alexander Makarov (amakarov) wrote | #2 |
| Kairat Kushaev (kkushaev) wrote | #3 |
| Kairat Kushaev (kkushaev) wrote | #4 |
| Kairat Kushaev (kkushaev) wrote | #5 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #6 |
| Changed in keystone: | |
| assignee: | nobody → Boris Bobrov (bbobrov) |
| status: | New → In Progress |
| Boris Bobrov (bbobrov) wrote | #7 |
| Changed in keystone: | |
| importance: | Undecided → Medium |
| Changed in keystone: | |
| milestone: | none → mitaka-2 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #8 |
| Changed in keystone: | |
| status: | In Progress → Fix Released |
| Thierry Carrez (ttx) wrote Fix included in openstack/keystone 9.0.0.0b2 | #9 |
Kairat,
Are you able to post the output from the keystone server logs (preferably with debug and verbose set to true)?