OpenStack Identity (keystone)

Invalid X-Subject-Token results in HTTP 401 rather than 404

Bug #1221889 reported by Arvind Tiwari on 2013-09-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Arvind Tiwari	OpenStack Identity (keystone) 2013.2 "havana"
	tempest	Fix Released	Undecided	Morgan Fainberg

Bug Description

While fixing https://bugs.launchpad.net/keystone/+bug/1186059 I observed that lots of unit tests related to V3 head test is not correct.
e.g. all the below unit test try to make a head call after deleting/revoking x-subject-token and assumes that it will be unauthorized.
self.head('/auth/tokens', headers={'X-Subject-Token': token2}, expected_status=401)
In reality the above call creates another scoped token and auth passed with the new token, in that case 401 is not a correct test it should be 404 which is also aligned with docs https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#403-forbidden.

test_deleting_group_grant_revokes_tokens (keystone.tests.test_v3_auth.TestTokenRevoking)
test_deleting_project_revokes_token (keystone.tests.test_v3_auth.TestTokenRevoking)
test_deleting_user_grant_revokes_token (keystone.tests.test_v3_auth.TestTokenRevoking)
test_disabling_project_revokes_token (keystone.tests.test_v3_auth.TestTokenRevoking)
test_group_membership_changes_revokes_token (keystone.tests.test_v3_auth.TestTokenRevoking)
test_removing_role_assignment_does_not_affect_other_users (keystone.tests.test_v3_auth.TestTokenRevoking)

I found this issue with lots of V3 token related tests but as per Morgan Fainberg (morganfainberg) this also affecting V2 auth unit tests.

I am trying to fix V3 auth unit test issue as part of https://bugs.launchpad.net/keystone/+bug/1186059

Arvind Tiwari (arvind-tiwari) on 2013-09-06

Changed in keystone:
assignee:	nobody → Arvind Tiwari (arvind-tiwari)

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-09-06:

Under the https://wiki.openstack.org/wiki/APIChangeGuidelines it's "generally considered OK" to "change an error response code to be more accurate."

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2013-09-06:

This bug can cause excessive (admin) token churn in the auth_token middleware. If a 401 is received, the middleware will re-auth it's admin token. Since a 401 is returned when either the admin token is invalid or the x-subject-token is invalid, this can result in a significant increase of token generation.

An invalid x-subject-token for GET and HEAD requests (and likewise v2.0, token provided in URI - the code paths for v2 and v3 validation/check are closely related so a fix to one could easily fix both) should likely return a 404 (TokenNotFound) or a distinct HTTP error code that does not collide with an invalid auth-token. This will prevent excessive token churn due to the middleware.

Dolph Mathews (dolph) on 2013-09-06

summary:	- Wrong unit tests for v3 token head calls + Invalid X-Subject-Token results in HTTP 401 rather than 404
Changed in keystone:
importance:	Medium → High
milestone:	none → havana-rc1
tags:	added: grizzly-backport-potential

Arvind Tiwari (arvind-tiwari) on 2013-09-10

Changed in keystone:
status:	New → In Progress

Revision history for this message

Arvind Tiwari (arvind-tiwari) wrote on 2013-09-10:

The following method has to raise NotFound in case of TokenNotFound

    def _verify_token(self, token_id, belongs_to=None):
        """Verify the given token and return the token_ref."""
        try:
            token_ref = self.token_api.get_token(token_id)
            return self._verify_token_ref(token_ref, belongs_to)
        except exception.TokenNotFound:
                raise exception.Unauthorized()

Revision history for this message

Arvind Tiwari (arvind-tiwari) wrote on 2013-09-10:

The above method is from /keystone/token/providers/uuid.py

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-11: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/46123

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-09-20:

There should be a change to tempest already in review for this bug - Arvind, can you link it here?

Changed in tempest:
status:	New → In Progress

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2013-09-23:

https://review.openstack.org/#/c/46341/ (Merged). Still needs the update to unskip / change expected status.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-29: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/48111
Committed: http://github.com/openstack/keystone/commit/af68f75978d1c3369cb184fda8ec2b7a5fc5e90e
Submitter: Jenkins
Branch: master

commit af68f75978d1c3369cb184fda8ec2b7a5fc5e90e
Author: guang-yee <email address hidden>
Date: Tue Sep 24 14:47:31 2013 -0500

sync oslo policy

Related-Bug: 1221889
Change-Id: I0fd0be982879647ef73081326708ec37b1cb9fd9

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-29: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/46123
Committed: http://github.com/openstack/keystone/commit/f1f0bbc4b42adeeced224778271f1297b9632b96
Submitter: Jenkins
Branch: master

commit f1f0bbc4b42adeeced224778271f1297b9632b96
Author: Arvind Tiwari <email address hidden>
Date: Wed Sep 11 12:28:14 2013 -0600

Validate token calls return 404 on invalid tokens

    Invalid X-Subject-Token was resulting in HTTP 401 rather than 404
    This is causing the auth_token middleware to re-authenticate
    It expects a 404 on an invalid token.

    Change-Id: Ieb4cbd4f69b4f3c5944eebc262e694e831d1ca6d
    Fixed-Bug: #1221889
    Fixed-Bug: #1186059

Revision history for this message

Zhikun Liu (zhikunliu) wrote on 2013-09-29: AUTO: Zhi Kun ZK Liu is on vacation

#10

I am out of the office until 10/07/2013.

I will take vacation from 28th Sep to 7th Oct . If have any urgent, please
call 13910806810

Note: This is an automated response to your message "[Bug 1221889] Related
fix merged to keystone (master)" sent on 09/29/2013 11:13:44.

This is the only notification you will receive while this person is away.

Dolph Mathews (dolph) on 2013-09-30

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-30: Fix proposed to tempest (master)

#11

Fix proposed to branch: master
Review: https://review.openstack.org/49035

Changed in tempest:
assignee:	nobody → Morgan Fainberg (mdrnstm)

Thierry Carrez (ttx) on 2013-10-02

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-03: Fix merged to tempest (master)

#13

Reviewed: https://review.openstack.org/49035
Committed: http://github.com/openstack/tempest/commit/69a69eafd0cb56d9ea46ff100cb43919a5b3567c
Submitter: Jenkins
Branch: master

commit 69a69eafd0cb56d9ea46ff100cb43919a5b3567c
Author: Morgan Fainberg <email address hidden>
Date: Mon Sep 30 12:11:05 2013 -0700

Unskip test_tokens and update expected status to 404 from 401

    Now that the API results in a 404 for an invalid x-subject-token
    and a 401 for an invalid x-auth-token, we need to update the expected
    resulting HTTP Status from 401 to 404 in the test_tokens test.

closes-bug: 1221889
Change-Id: I158c968c1948ee658305e9ec484425d98f187cba

Changed in tempest:
status:	In Progress → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in keystone:
milestone:	havana-rc1 → 2013.2

Alan Pevec (apevec) on 2014-03-30

tags:

removed: grizzly-backport-potential

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.