OpenStack Identity (keystone)

the service tries to get a new admin token when the user's token fails to validated

Bug #942985 reported by Joseph Heck
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Critical
Jesse Andrews
OpenStack Identity (keystone) 2012.1 "essex"

Bug Description

from http://etherpad.openstack.org/keystone-admin-config:

the service tries to get a new admin token when the user's token fails to validated (see below for example)
    (heckj) desired behavior? It should fail and return a 401 unauthorized response.
    (jesse) if the user's token doesn't validate it means the user's token is invalid, which is different than failing to validate because the auth middleware's token is not valid. bug #942984 is about not being able to get a admin token, whereas this is about the user's token being wrong

(related to bug #942984) (keystone)
(related to bug #942983) (keystone)
(depends on bug #942979) (devstack)

Example:

Glance fails after on essex-kvm (and others) after you use an invalid token

* This fails because auth_token is cleared after an attempt to validate any token fails under the (outdated) assumption that admin_token has expired and a new one is needed. this is why I think item #3 is needed. a response code should say 503 Service unavailable - and then on the log for keystone explain why it is failing (failed to retrieve token for tenant/user service/glance)

$ glance index
$ glance -A 6f6d341bc6914aa3b30b5408cd35813e index

both return:

ID Name Disk Format Container Format Size
------------------------------------ ------------------------------ -------------------- -------------------- --------------
8e43673a-78a6-463a-acd5-bd43fb089244 cirros-0.3.0-x86_64-rootfs ami ami 25165824
c7bdd9cb-ca04-4b6f-a0b3-465d63b5246f cirros-0.3.0-x86_64-blank-ramd ari ari 2254249
313b5457-9015-4692-853a-ebd7b5ab76cc cirros-0.3.0-x86_64-blank ami ami 25165824
df669e1d-2355-434c-abc2-e97496de1754 cirros-0.3.0-x86_64-blank-kern aki aki 4731440
b0a5025e-b9bd-4ca8-99cf-c55f1b9cc296 oneiric-server-cloudimg-amd64 ami ami 1476395008
885adc2c-026f-42c7-b292-ff64aea6256c oneiric-server-cloudimg-amd64- aki aki 4738064
6caca3a3-0bc5-4655-84bb-11baa753d1d0 natty-server-cloudimg-amd64 ami ami 1476395008
497a1632-fc1f-4772-8959-518b0bd8fab0 natty-server-cloudimg-amd64-ke aki aki 4596064
87c7ca1b-cd28-4dcf-ade6-3bba4abb130f ttylinux-uec-amd64-11.2_2.6.35 aki aki 4435920
08dc282b-42c7-4cf8-a122-f90214c0ce23 ttylinux-uec-amd64-11.2_2.6.35 ami ami 16777216

Then kill glance via:

$ glance -A FOO index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).

Then any queries to glance fails until glance is restarted:

$ glance -A 6f6d341bc6914aa3b30b5408cd35813e index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).

$ glance index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).

See original description
Joseph Heck (heckj)
description: updated
Changed in keystone:
milestone: essex-rc1 → essex-4
Jesse Andrews (anotherjesse)
Changed in keystone:
milestone: essex-4 → essex-rc1
Revision history for this message
Adam Young (ayoung) wrote :

A Token not validating in this case is not a reason to return an error code. If the caller (the service) is authenticated but the token it is checking is not valid. This should return HTTP response code 200, but the body of the request should indicate that the token is invalid.

Revision history for this message
Jesse Andrews (anotherjesse) wrote :

being worked on here: https://review.openstack.org/#change,4675

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/4675
Committed: http://github.com/openstack/keystone/commit/33e6c29d0d9a29eea2f50bdc24dcf87329337e66
Submitter: Jenkins
Branch: master

commit 33e6c29d0d9a29eea2f50bdc24dcf87329337e66
Author: Jesse Andrews <email address hidden>
Date: Tue Feb 28 21:05:17 2012 -0800

    improve auth_token middleware

     * remove ability to run auth_token as stand-alone proxy service
     * only validate a token once
     * improved error handling & comments where further improvement needed
     * improved admin_token logic
     * resolved bug 942984 and bug 942985

    Change-Id: I12ae25c9d8047862072b7ebea1a98722eae1f40d

Changed in keystone:
status: Confirmed → Fix Committed
Jesse Andrews (anotherjesse)
Changed in keystone:
assignee: nobody → Jesse Andrews (anotherjesse)
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.