OpenStack Dashboard (Horizon)

deprecate OPENSTACK_TOKEN_HASH_ENABLED

Bug #1502472 reported by Conrad Mukai on 2015-10-03

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Low	Brad Pokorny	OpenStack Dashboard (Horizon) newton-2 "n2"

Bug Description

I was going through all the configuration parameters in Horizon and I came across the description of OPENSTACK_TOKEN_HASH_ENABLED. It mentions that token hashing for PKI tokens is broken. I filed a bug a while ago that has since been resolved:

https://bugs.launchpad.net/django-openstack-auth/+bug/1486745

This bug was resolved as a duplicate of:

https://bugs.launchpad.net/bugs/1484499

But my bug report had an explanation of the root cause, which seems to correlate with the underlying reason for this parameter. Since the bug has been resolved I believe this parameter is no longer needed.

bpokorny: We need the fix for this bug as well for PKI to work completely:

https://bugs.launchpad.net/django-openstack-auth/+bug/1487372

See original description

Jaiveek Shah (jaiveek-shah) on 2015-10-07

Changed in horizon:
assignee:	nobody → Jaiveek Shah (jaiveek-shah)
assignee:	Jaiveek Shah (jaiveek-shah) → nobody

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2016-02-03:

PKI is getting deprecated in keystone too, so this setting will be unusable at some point anyway.

I think its fine to deprecate it

Revision history for this message

Brad Pokorny (bpokorny) wrote on 2016-02-04:

We need the fix for this bug as well for PKI to work completely: https://bugs.launchpad.net/django-openstack-auth/+bug/1487372

Without the fix for 1487372, I was still getting this stack trace (even when I had the fix for 1486745):

2016-02-04 01:46:33.398474 DEBUG:keystoneauth.session:Request returned failure status: 401
2016-02-04 01:46:33.399129 Unable to retrieve project list.
2016-02-04 01:46:33.399426 Traceback (most recent call last):
2016-02-04 01:46:33.399708 File "/usr/local/lib/python2.7/dist-packages/openstack_auth/user.py", line 314, in authorized_tenants2016-02-04 01:46:33.400017 is_federated=self.is_federated)
2016-02-04 01:46:33.400302 File "/usr/local/lib/python2.7/dist-packages/openstack_auth/utils.py", line 304, in get_project_list
2016-02-04 01:46:33.400593 projects = client.projects.list(user=kwargs.get('user_id'))
2016-02-04 01:46:33.400838 File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
2016-02-04 01:46:33.401094 return func(*args, **kwargs)
2016-02-04 01:46:33.401367 File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/projects.py", line 106, in list
2016-02-04 01:46:33.401631 **kwargs)
2016-02-04 01:46:33.401882 File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 75, in func
2016-02-04 01:46:33.402128 return f(*args, **new_kwargs)
2016-02-04 01:46:33.402370 File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 388, in list
2016-02-04 01:46:33.402413 self.collection_key)
2016-02-04 01:46:33.402440 File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 124, in _list
2016-02-04 01:46:33.402468 resp, body = self.client.get(url, **kwargs)
2016-02-04 01:46:33.402494 File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get
2016-02-04 01:46:33.402521 return self.request(url, 'GET', **kwargs)
2016-02-04 01:46:33.402547 File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 206, in request
2016-02-04 01:46:33.402573 resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
2016-02-04 01:46:33.402619 File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
2016-02-04 01:46:33.402648 return self.session.request(url, method, **kwargs)
2016-02-04 01:46:33.402673 File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/_utils.py", line 180, in inner
2016-02-04 01:46:33.402699 return func(*args, **kwargs)
2016-02-04 01:46:33.402724 File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 440, in request
2016-02-04 01:46:33.402750 raise exceptions.from_response(resp, method, url)
2016-02-04 01:46:33.402776 Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-4e404507-f937-4f51-aa6e-84bc9c0fd1ac)

I don't think the fix for 1487372 is in a DOA release yet, but I think we can go ahead with the deprecation. With that fix pulled in, things work for me, and it will make it into the next DOA release.

We need the fix for this bug as well for PKI to work completely:  https://bugs.launchpad.net/django-openstack-auth/+bug/1487372

Without the fix for 1487372, I was still getting this stack trace (even when I had the fix for 1486745):

2016-02-04 01:46:33.398474 DEBUG:keystoneauth.session:Request returned failure status: 401
2016-02-04 01:46:33.399129 Unable to retrieve project list.
2016-02-04 01:46:33.399426 Traceback (most recent call last):
2016-02-04 01:46:33.399708   File "/usr/local/lib/python2.7/dist-packages/openstack_auth/user.py", line 314, in authorized_tenants2016-02-04 01:46:33.400017     is_federated=self.is_federated)
2016-02-04 01:46:33.400302   File "/usr/local/lib/python2.7/dist-packages/openstack_auth/utils.py", line 304, in get_project_list
2016-02-04 01:46:33.400593     projects = client.projects.list(user=kwargs.get('user_id'))
2016-02-04 01:46:33.400838   File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
2016-02-04 01:46:33.401094     return func(*args, **kwargs)
2016-02-04 01:46:33.401367   File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/projects.py", line 106, in list
2016-02-04 01:46:33.401631     **kwargs)
2016-02-04 01:46:33.401882   File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 75, in func
2016-02-04 01:46:33.402128     return f(*args, **new_kwargs)
2016-02-04 01:46:33.402370   File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 388, in list
2016-02-04 01:46:33.402413     self.collection_key)
2016-02-04 01:46:33.402440   File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 124, in _list
2016-02-04 01:46:33.402468     resp, body = self.client.get(url, **kwargs)
2016-02-04 01:46:33.402494   File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get
2016-02-04 01:46:33.402521     return self.request(url, 'GET', **kwargs)
2016-02-04 01:46:33.402547   File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 206, in request
2016-02-04 01:46:33.402573     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
2016-02-04 01:46:33.402619   File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
2016-02-04 01:46:33.402648     return self.session.request(url, method, **kwargs)
2016-02-04 01:46:33.402673   File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/_utils.py", line 180, in inner
2016-02-04 01:46:33.402699     return func(*args, **kwargs)
2016-02-04 01:46:33.402724   File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 440, in request
2016-02-04 01:46:33.402750     raise exceptions.from_response(resp, method, url)
2016-02-04 01:46:33.402776 Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-4e404507-f937-4f51-aa6e-84bc9c0fd1ac)

I don't think the fix for 1487372 is in a DOA release yet, but I think we can go ahead with the deprecation.  With that fix pulled in, things work for me, and it will make it into the next DOA release.

Changed in horizon:
status:	New → Confirmed
assignee:	nobody → Brad Pokorny (bpokorny)

Brad Pokorny (bpokorny) on 2016-02-09

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-25: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/284845

Changed in horizon:
status:	Confirmed → In Progress

Rob Cresswell (robcresswell-deactivatedaccount) on 2016-03-23

Changed in horizon:
importance:	Undecided → Low
milestone:	none → ongoing

Rob Cresswell (robcresswell-deactivatedaccount) on 2016-03-31

Changed in horizon:
milestone:	ongoing → next

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-15: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/284845
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=bf9ad6048dc3b776338339d6c062661308011dfe
Submitter: Jenkins
Branch: master

commit bf9ad6048dc3b776338339d6c062661308011dfe
Author: Brad Pokorny <email address hidden>
Date: Wed Feb 24 03:23:10 2016 -0800

Deprecate the OPENSTACK_TOKEN_HASH_ENABLED option

    Hashing PKI tokens is now working again, and Keystone will soon
    deprecate usage of PKI tokens. Remove this option, as it's now
    superfluous.

Change-Id: Ie67000ac20915ac12056a1a0aed13f6731a1c3c9
Closes-Bug: #1502472