keystoneauth1 v3 Token object ignores the token passed in
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystoneauth |
Invalid
|
Undecided
|
Divya K Konoor |
Bug Description
The primary problem reported in the defect is that when a keystoneauth1 identity Token is set in the session and a REST call is made, the session does not use the same token for making the call.
auth = identity.
s = session.
resp = s.get('http://
Even though the token has been explicitly as part of the v3.Token object , the token that is set is not user to make the REST call. Instead a new unscoped token is generated. This new unscoped token which is generated doesn't have roles, project and catalog information as seen below
{"token": {"issued_at": "2017-05-
The flow here is :
1. Using the keystoneauth1 session object a post call is made with the auth v3.Token object set.
2. When we make a session call, control comes here
>> https:/
>> https:/
>> https:/
The keystoneauth1.
>> https:/
>> https:/
>> https:/
The above check for re-authenticate always returns True as it does not consider the token that has been passed into the v3.Token object and in all cases goes on to create a new token, which is subsequently used to make the REST call, which happens here>>
https:/
https:/
3. To resolve the above problem I overrided the get_token method inside v3.Token to return the token that was passed in instead of a re-authentication and everything worked fine..Of course this is more of a hack to check if this helped fix this problem. The below doesn't have logic to check if the token was going to expire and if re-authentication was required etc.
class Token(base.
_auth_
token_new = None
def __init__(self, auth_url, token, **kwargs):
def get_token(self, session, **kwargs):
return self.token_new
description: | updated |
affects: | keystone → keystoneauth |
description: | updated |
summary: |
- token data doesn't have roles, projects and catalog information + keystoneauth1 v3 Token object ignores the token passed in |
Changed in keystoneauth: | |
assignee: | nobody → Divya K Konoor (dikonoor) |
no longer affects: | keystone |
v3.Token will never be able to support re-authentication (you can use one token to get another, but the expiration date of the next token cannot exceed that of the original token, to prevent a malicious user that is able to get a token from being able to extend their access indefinitely). So simply returning the existing token from get_token without worrying about checking expiration and re-authentication should be a sufficient fix here.