OpenStack Identity (keystone)

Token authentication for missing tenant

Bug #994501 reported by Rafael Durán Castañeda
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Dolph Mathews
OpenStack Identity (keystone) 2012.2 "folsom"

Bug Description

Token authentication for a user in inexistent tenant raises 500 server error instead of 40x (I think it should be a 404) when you are using a unescoped tenant:

Request data:
{"auth": {"token": {"id": "e2c5b2cc521a48948ef6ff80a0a9a259"}, "tenantName": "missing_tenant"}}

Response:
{"error": {"message": "An unexpected error prevented the server from fulfilling your request. 'NoneType' object is not subscriptable", "code": 500, "title": "Internal Server Error"}}

Log:
http://pastebin.com/BsbhvjYN

If you aren't using any token then you get an unescoped token, this is by design? I think a 404 Tenant not found should be returned instead.

Both issues are tested against stable/essex and master, settings are default but Catalog backend (I'm using TemplatedCatalog http://pastebin.com/4B2Le2h7)

Joseph Heck (heckj)
Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Rafael Durán Castañeda (rafadurancastaneda) wrote :

I've got a new issue related this to this one and leading to a much more severe bug, taking down the whole Openstack system. How to reproduce:
* After everything is working (Keystone, Nova, Glance...) reload keystone data.
* Then the "auth_token" middleware has a token belonging a tenant that not longer exists.
* From that point all request to Nova/Glance will raise a 500 server error at Keystone (the error explained above), thus failing the token validation.
* The "auth_token" validation only refreshes tokens when it gets a 401 error (see the link), however it's getting a 500. So the token is not refreshed, getting the same error over and over.
* Nova and Glance won't work until they refresh the token (e.g.: after restarting the service and thus getting a new token).

https://github.com/openstack/keystone/blob/master/keystone/middleware/auth_token.py#L352

Revision history for this message
Dolph Mathews (dolph) wrote :

This appears to be fixed by a patch already in review: https://review.openstack.org/#/c/6875/

Attempt to recreate with/without above patch: http://paste.openstack.org/raw/18387/

Also, secondary issues should be filed & tracked separately.

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: Triaged → In Progress
Revision history for this message
Rafael Durán Castañeda (rafadurancastaneda) wrote :

I've just test the first issue against your patch, confirming it solves the issue (raising a 404 as expected). However I still need check the second one, reporting a new bug if necessary.

Revision history for this message
Rafael Durán Castañeda (rafadurancastaneda) wrote :

Second issue has been reported at Bug #1000609, so I will post any update there.

Revision history for this message
Rafael Durán Castañeda (rafadurancastaneda) wrote :

I did a mistake, Bug #1000609 doesn't match the second issue but the first as Dolph patch already notes.

Revision history for this message
Dolph Mathews (dolph) wrote :

Awesome; the fix for this issue merged as 23ca656927947dada40591bdd1badd5a531c2983

Changed in keystone:
milestone: none → folsom-2
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: folsom-2 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.