token gets truncated with PKI tokens

Bug #1484499 reported by Matthias Runge on 2015-08-13
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
django-openstack-auth
High
Matthias Runge

Bug Description

this is specific to PKI tokens

set up a user with 2 projects, log in that user into horizon

you'll see, the project switcher (in upper corner) is empty.

I can see a stack trace:
Unable to retrieve project list.
Traceback (most recent call last):
  File "/home/mrunge/work/django_openstack_auth/openstack_auth/user.py", line 310, in authorized_tenants
    is_federated=self.is_federated)
  File "/home/mrunge/work/django_openstack_auth/openstack_auth/utils.py", line 142, in wrapper
    result = func(*args, **kwargs)
  File "/home/mrunge/work/django_openstack_auth/openstack_auth/utils.py", line 259, in get_project_list
    projects = client.tenants.list()
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/tenants.py", line 123, in list
    tenant_list = self._list('/tenants%s' % query, 'tenants')
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 124, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 395, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-1fd4c0dc-ddad-4044-8bf8-7a19bc174f1c)

looking a bit more, the token seems to be way too short.

I tested with code having and not having commit:
https://github.com/openstack/django_openstack_auth/commit/1980c66952eae7016f80cc819f88e4ad9b099c65

Matthias Runge (mrunge) wrote :
summary: - user tenants list not working
+ token gets truncated with PKI tokens
Matthias Runge (mrunge) on 2015-08-13
Changed in django-openstack-auth:
importance: Undecided → High
Matthias Runge (mrunge) wrote :

horizon seems to use a hash of the token.

Lin Hua Cheng (lin-hua-cheng) wrote :

Matthias: the bug I linked should resolve your issue.

Matthias Runge (mrunge) wrote :

Lin, it does not. As stated in first comment, it doesn't matter if you have that patch or not.

Matthias Runge (mrunge) wrote :

In fact, I'm using for the tests a database as session backend.
This issue goes away, when I'm setting

OPENSTACK_TOKEN_HASH_ENABLED = False

Fix proposed to branch: master
Review: https://review.openstack.org/215103

Changed in django-openstack-auth:
assignee: nobody → Matthias Runge (mrunge)
status: New → In Progress

Reviewed: https://review.openstack.org/215103
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=aed28851b933a04dffcff70674f7afad84cb2d57
Submitter: Jenkins
Branch: master

commit aed28851b933a04dffcff70674f7afad84cb2d57
Author: Matthias Runge <email address hidden>
Date: Thu Aug 20 13:50:36 2015 +0200

    initialize the hasher for unscoped token

    Using PKI tokens results in an empty
    projects list in horizon and a 403 error from
    keystone.

    Change-Id: If6853343125112340e447e760ee7d997e6e7384f
    Closes-Bug: #1484499
    Closes-Bug: #1486745

Changed in django-openstack-auth:
status: In Progress → Fix Committed
Matthias Runge (mrunge) on 2015-08-20
Changed in django-openstack-auth:
milestone: none → 1.3.2
Changed in django-openstack-auth:
milestone: none → 1.4.0
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/215303
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=285e41674878e596b7162d3ba3c10a80c36430c9
Submitter: Jenkins
Branch: stable/kilo

commit 285e41674878e596b7162d3ba3c10a80c36430c9
Author: Matthias Runge <email address hidden>
Date: Thu Aug 20 13:50:36 2015 +0200

    initialize the hasher for unscoped token

    Using PKI tokens results in an empty
    projects list in horizon and a 403 error from
    keystone.

    Change-Id: If6853343125112340e447e760ee7d997e6e7384f
    Closes-Bug: #1484499
    Closes-Bug: #1486745
    (cherry picked from commit aed28851b933a04dffcff70674f7afad84cb2d57)

tags: added: in-stable-kilo
Canh Truong (canh-v-truong) wrote :

Hi , it seems that the issue occurs also not only specific to PKI token. Please see https://bugs.launchpad.net/django-openstack-auth/+bug/1487372

This issue was fixed in the openstack/django_openstack_auth 1.2.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers