Token authentication for missing tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Dolph Mathews |
Bug Description
Token authentication for a user in inexistent tenant raises 500 server error instead of 40x (I think it should be a 404) when you are using a unescoped tenant:
Request data:
{"auth": {"token": {"id": "e2c5b2cc521a48
Response:
{"error": {"message": "An unexpected error prevented the server from fulfilling your request. 'NoneType' object is not subscriptable", "code": 500, "title": "Internal Server Error"}}
Log:
http://
If you aren't using any token then you get an unescoped token, this is by design? I think a 404 Tenant not found should be returned instead.
Both issues are tested against stable/essex and master, settings are default but Catalog backend (I'm using TemplatedCatalog http://
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | folsom-2 → 2012.2 |
I've got a new issue related this to this one and leading to a much more severe bug, taking down the whole Openstack system. How to reproduce:
* After everything is working (Keystone, Nova, Glance...) reload keystone data.
* Then the "auth_token" middleware has a token belonging a tenant that not longer exists.
* From that point all request to Nova/Glance will raise a 500 server error at Keystone (the error explained above), thus failing the token validation.
* The "auth_token" validation only refreshes tokens when it gets a 401 error (see the link), however it's getting a 500. So the token is not refreshed, getting the same error over and over.
* Nova and Glance won't work until they refresh the token (e.g.: after restarting the service and thus getting a new token).
https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ middleware/ auth_token. py#L352