2013-06-13 19:26:00 |
Brant Knudson |
description |
When the admin_token_auth is removed from the paste pipeline, the server responds to requests with a 500 Internal Server Error rather than the correct data.
Operations should work even without the
To recreate:
1) Start with devstack.
2) Reconfigure Keystone to remove admin_token_auth from the paste pipeline.
[pipeline:public_api]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension service_v3
3) Do a request using v2 admin api.
$ keystone user-list
An unexpected error prevented the server from fulfilling your request. 'is_admin' (HTTP 500)
I think the problem is that the server is assuming that is_admin will be in the context, but it's only there if the request has gone through the admin_token_auth middleware. If this is the case then the server could be changed so that is_admin in the context is optional.
Another option is to provide an alternative bit of middleware that sets the is_admin flag to False. |
When the admin_token_auth middleware is removed from the paste pipeline, the server responds to requests with a 500 Internal Server Error rather than the correct data.
Operations should work even without the
To recreate:
1) Start with devstack.
2) Reconfigure Keystone to remove admin_token_auth from the paste pipeline.
[pipeline:public_api]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension service_v3
3) Do a request using v2 admin api.
$ keystone user-list
An unexpected error prevented the server from fulfilling your request. 'is_admin' (HTTP 500)
I think the problem is that the server is assuming that is_admin will be in the context, but it's only there if the request has gone through the admin_token_auth middleware. If this is the case then the server could be changed so that is_admin in the context is optional.
Another option is to provide an alternative bit of middleware that sets the is_admin flag to False. |
|
2013-06-13 19:29:21 |
Brant Knudson |
description |
When the admin_token_auth middleware is removed from the paste pipeline, the server responds to requests with a 500 Internal Server Error rather than the correct data.
Operations should work even without the
To recreate:
1) Start with devstack.
2) Reconfigure Keystone to remove admin_token_auth from the paste pipeline.
[pipeline:public_api]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension service_v3
3) Do a request using v2 admin api.
$ keystone user-list
An unexpected error prevented the server from fulfilling your request. 'is_admin' (HTTP 500)
I think the problem is that the server is assuming that is_admin will be in the context, but it's only there if the request has gone through the admin_token_auth middleware. If this is the case then the server could be changed so that is_admin in the context is optional.
Another option is to provide an alternative bit of middleware that sets the is_admin flag to False. |
When the admin_token_auth middleware is removed from the paste pipeline, the server responds to requests with a 500 Internal Server Error rather than the correct data.
Operations should work even without the admin_token_auth middleware
To recreate:
1) Start with devstack.
2) Reconfigure Keystone to remove admin_token_auth from the paste pipeline.
[pipeline:public_api]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
#pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3
pipeline = access_log sizelimit url_normalize token_auth xml_body json_body ec2_extension s3_extension service_v3
3) Do a request using v2 admin api.
$ keystone user-list
An unexpected error prevented the server from fulfilling your request. 'is_admin' (HTTP 500)
I think the problem is that the server is assuming that is_admin will be in the context, but it's only there if the request has gone through the admin_token_auth middleware. If this is the case then the server could be changed so that is_admin in the context is optional.
Another option is to provide an alternative bit of middleware that sets the is_admin flag to False. |
|