Invalid X-Subject-Token results in HTTP 401 rather than 404

Bug #1221889 reported by Arvind Tiwari on 2013-09-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Arvind Tiwari
Morgan Fainberg

Bug Description

While fixing I observed that lots of unit tests related to V3 head test is not correct.
e.g. all the below unit test try to make a head call after deleting/revoking x-subject-token and assumes that it will be unauthorized.
self.head('/auth/tokens', headers={'X-Subject-Token': token2}, expected_status=401)
In reality the above call creates another scoped token and auth passed with the new token, in that case 401 is not a correct test it should be 404 which is also aligned with docs

test_deleting_group_grant_revokes_tokens (keystone.tests.test_v3_auth.TestTokenRevoking)
test_deleting_project_revokes_token (keystone.tests.test_v3_auth.TestTokenRevoking)
test_deleting_user_grant_revokes_token (keystone.tests.test_v3_auth.TestTokenRevoking)
test_disabling_project_revokes_token (keystone.tests.test_v3_auth.TestTokenRevoking)
test_group_membership_changes_revokes_token (keystone.tests.test_v3_auth.TestTokenRevoking)
test_removing_role_assignment_does_not_affect_other_users (keystone.tests.test_v3_auth.TestTokenRevoking)

I found this issue with lots of V3 token related tests but as per Morgan Fainberg (morganfainberg) this also affecting V2 auth unit tests.

I am trying to fix V3 auth unit test issue as part of

Changed in keystone:
assignee: nobody → Arvind Tiwari (arvind-tiwari)
Dolph Mathews (dolph) wrote :

Under the it's "generally considered OK" to "change an error response code to be more accurate."

Changed in keystone:
importance: Undecided → Medium
Morgan Fainberg (mdrnstm) wrote :

This bug can cause excessive (admin) token churn in the auth_token middleware. If a 401 is received, the middleware will re-auth it's admin token. Since a 401 is returned when either the admin token is invalid or the x-subject-token is invalid, this can result in a significant increase of token generation.

An invalid x-subject-token for GET and HEAD requests (and likewise v2.0, token provided in URI - the code paths for v2 and v3 validation/check are closely related so a fix to one could easily fix both) should likely return a 404 (TokenNotFound) or a distinct HTTP error code that does not collide with an invalid auth-token. This will prevent excessive token churn due to the middleware.

Dolph Mathews (dolph) on 2013-09-06
summary: - Wrong unit tests for v3 token head calls
+ Invalid X-Subject-Token results in HTTP 401 rather than 404
Changed in keystone:
importance: Medium → High
milestone: none → havana-rc1
tags: added: grizzly-backport-potential
Changed in keystone:
status: New → In Progress
Arvind Tiwari (arvind-tiwari) wrote :

The following method has to raise NotFound in case of TokenNotFound

    def _verify_token(self, token_id, belongs_to=None):
        """Verify the given token and return the token_ref."""
            token_ref = self.token_api.get_token(token_id)
            return self._verify_token_ref(token_ref, belongs_to)
        except exception.TokenNotFound:
                raise exception.Unauthorized()

Arvind Tiwari (arvind-tiwari) wrote :

The above method is from /keystone/token/providers/

Dolph Mathews (dolph) wrote :

There should be a change to tempest already in review for this bug - Arvind, can you link it here?

Changed in tempest:
status: New → In Progress
Morgan Fainberg (mdrnstm) wrote : (Merged). Still needs the update to unskip / change expected status.

Submitter: Jenkins
Branch: master

commit af68f75978d1c3369cb184fda8ec2b7a5fc5e90e
Author: guang-yee <email address hidden>
Date: Tue Sep 24 14:47:31 2013 -0500

    sync oslo policy

    Related-Bug: 1221889
    Change-Id: I0fd0be982879647ef73081326708ec37b1cb9fd9

Submitter: Jenkins
Branch: master

commit f1f0bbc4b42adeeced224778271f1297b9632b96
Author: Arvind Tiwari <email address hidden>
Date: Wed Sep 11 12:28:14 2013 -0600

    Validate token calls return 404 on invalid tokens

    Invalid X-Subject-Token was resulting in HTTP 401 rather than 404
    This is causing the auth_token middleware to re-authenticate
    It expects a 404 on an invalid token.

    Change-Id: Ieb4cbd4f69b4f3c5944eebc262e694e831d1ca6d
    Fixed-Bug: #1221889
    Fixed-Bug: #1186059

I am out of the office until 10/07/2013.

I will take vacation from 28th Sep to 7th Oct . If have any urgent, please
call 13910806810

Note: This is an automated response to your message "[Bug 1221889] Related
fix merged to keystone (master)" sent on 09/29/2013 11:13:44.

This is the only notification you will receive while this person is away.

Dolph Mathews (dolph) on 2013-09-30
Changed in keystone:
status: In Progress → Fix Committed

Fix proposed to branch: master

Changed in tempest:
assignee: nobody → Morgan Fainberg (mdrnstm)
Thierry Carrez (ttx) on 2013-10-02
Changed in keystone:
status: Fix Committed → Fix Released

Submitter: Jenkins
Branch: master

commit 69a69eafd0cb56d9ea46ff100cb43919a5b3567c
Author: Morgan Fainberg <email address hidden>
Date: Mon Sep 30 12:11:05 2013 -0700

    Unskip test_tokens and update expected status to 404 from 401

    Now that the API results in a 404 for an invalid x-subject-token
    and a 401 for an invalid x-auth-token, we need to update the expected
    resulting HTTP Status from 401 to 404 in the test_tokens test.

    closes-bug: 1221889
    Change-Id: I158c968c1948ee658305e9ec484425d98f187cba

Changed in tempest:
status: In Progress → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc1 → 2013.2
Alan Pevec (apevec) on 2014-03-30
tags: removed: grizzly-backport-potential
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers