OpenStack Identity (keystone)

Improve error message when there's a bad user / password somewhere

Bug #981906 reported by Endre Karlson
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Dolph Mathews
OpenStack Identity (keystone) 2013.1 "grizzly"

Bug Description

[root@os-svc02 images]# glance --os_username=admin --os_password=adminp4ss --os_tenant=demo --os_auth_url=http://keystone.os.lan:5000/v2.0/ add name="tty-linux-kernel" disk_format=aki container_format=aki < ttylinux-uec-amd64-12.1_2.6.35-22_1-vmlinuz
Uploading image 'tty-linux-kernel'
Failed to add image. Got error:
The request returned 503 Service Unavilable. This generally occurs on service overload or other transient outage.

# In api logs:
2012-04-14 16:55:46 9531 DEBUG [keystone.middleware.auth_token] Authenticating user token
2012-04-14 16:55:46 9531 DEBUG [keystone.middleware.auth_token] Removing headers from request environment: X-Identity-Status,X-Tenant-Id,X-Tenant-Name,X-User-Id,X-User-Name,X-Roles,X-User,X-Tenant,X-Role
2012-04-14 16:55:46 9531 WARNING [keystone.middleware.auth_token] Unexpected response from keystone service: {u'error': {u'message': u'Invalid user / password', u'code': 401, u'title': u'Not Authorized'}}
2012-04-14 16:55:46 9531 CRITICAL [keystone.middleware.auth_token] Unable to obtain admin token: invalid json response
2012-04-14 16:55:46 9531 DEBUG [eventlet.wsgi.server] 192.168.6.10 - - [14/Apr/2012 16:55:46] "POST /v1/images HTTP/1.1" 503 235 0.092509

# keystone.log

2012-04-14 23:18:41 DEBUG [keystone.common.wsgi] ******************** RESPONSE BODY ********************
2012-04-14 23:18:41 DEBUG [keystone.common.wsgi] {"error": {"message": "Invalid user / password", "code": 401, "title": "Not Authorized"}}
2012-04-14 23:18:41 DEBUG [eventlet.wsgi.server] 192.168.6.10 - - [14/Apr/2012 23:18:41] "POST /v2.0/tokens HTTP/1.1" 401 229 0.049767

Yaguang Tang (heut2008)
Changed in glance:
status: New → Confirmed
assignee: nobody → Sina Web Service (sws)
assignee: Sina Web Service (sws) → Yaguang Tang (heut2008)
Revision history for this message
Brian Waldon (bcwaldon) wrote :

At first glance, this looks like a bug in the keystone auth middleware. We shouldn't translate a 401 from the keystone service to a 503.

affects: glance → keystone
Joseph Heck (heckj)
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
gordon chung (chungg) wrote :

this bug appears to have been resolved since opening. it returns a 401 error now:

Unable to communicate with identity service: {"error": {"message": "Invalid user / password", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

Changed in keystone:
assignee: Yaguang Tang (heut2008) → nobody
Revision history for this message
Dolph Mathews (dolph) wrote :

Fixed in https://github.com/openstack/keystone/commit/01fccdb1ccc7f7e42b6487b42b6946db98fb8c44

Always revealing the details of authentication failures presents an unnecessary security exposure, so this type of feedback is only available if keystone is running with debug enabled, e.g. keystone.conf [DEFAULT] debug = true

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
milestone: none → grizzly-3
status: Confirmed → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.