Token with "placeholder" ID issued
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Morgan Fainberg | ||
keystonemiddleware |
Fix Released
|
Medium
|
Jamie Lennox | ||
python-keystoneclient |
Fix Released
|
Medium
|
Jamie Lennox |
Bug Description
We're seeing test failures, where it seems that an invalid token is issued, with the ID of "placeholder"
http://
See context_
It seems like auth_token is getting a token, but there's some sort of race in the backend which prevents an actual token being stored? Trying to use "placeholder" as a token ID doesn't work, so it seems like this default assigned in the controller is passed back to auth_token, which treats it as a valid token, even though it's not.
https:/
I'm not sure how to debug this further, as I can't reproduce this problem locally.
Changed in keystone: | |
importance: | Undecided → Critical |
Changed in python-keystoneclient: | |
importance: | Undecided → Critical |
Changed in keystone: | |
milestone: | none → juno-rc1 |
Changed in keystonemiddleware: | |
status: | New → Fix Committed |
milestone: | none → 1.2.0 |
importance: | Undecided → Medium |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
Changed in keystonemiddleware: | |
status: | Fix Committed → Fix Released |
This bug is based upon an assumption that the decoded token data in the ENV that is provide by auth_token middleware has the correct token id. This assumption is incorrect.
The decoded token data from a v2 PKI token will always contain the id 'placeholder'. This is because the token_id is created before the document is signed, and is part of the signed document.
The bug is specifically caused in the review https:/ /review. openstack. org/#/c/ 97569/ because the token id is sourced from the decoded PKI token document instead of directly from the request header X-Auth-Token.
The fix from the Keystone / Keystoneclient side is one of three options:
1. auth_token middleware can do something interesting and populate the correct location in the env variable for the token.
2. auth_token middleware can remove the field from the env variable to avoid confusion (better)
3. V2 tokens should not be issued with the token_id as part of the token document, but independent of the document itself (in both UUID and PKI cases). The token_id would be derived not from the env location but from the X-auth-token header. It would be possible to provide a friendly env-variable for grabbing the ID if desired (but not really required). This mirrors the way V3.0 builds the token document. [best solution]
This definitely needs to be fixed. It definitely needs to be fixed sooner rather than later. I am unsure if this is really a "critical" bug.