Nova api 'Authorization failed for token' with federated scoped token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Steve Martinelli |
Bug Description
OpenStack Release: Juno
I am investigated k2k and I'm seeing the following behavior
I have setup a keystone 2 keystone environment.
I get a unscoped federated token
I then get a project scoped token from the unscoped.
I attempt to something simple by listing the flavors
-- curl -i -X GET -H "X-Auth-
I see this in the nova api.log:
-------
2015-02-06 10:20:32.787 3970 WARNING keystonemiddlew
2015-02-06 10:20:32.788 3970 INFO nova.osapi_
I see this in the keystone.log:
-------
2015-02-06 10:55:00.753 5910 DEBUG keystone.
2015-02-06 10:55:00.769 5910 ERROR keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
2015-02-06 10:55:00.769 5910 TRACE keystone.
The token body of the scoped token is:
-------
{
"token": {
"methods": [
"saml2"
],
"roles": [
{
},
{
}
],
"project": {
},
"id": "031a04fd26da4d
"name": "admin"
},
"catalog": [
{
],
},
{
],
},
{
],
},
{
],
},
{
],
},
{
],
},
{
],
},
{
],
},
{
],
}
],
"extras": {},
"user": {
},
}
},
"id": "admin",
"name": "admin"
},
],
}
}
Changed in keystone: | |
status: | Invalid → Triaged |
assignee: | Marek Denis (marek-denis) → Steve Martinelli (stevemar) |
importance: | Undecided → Low |
milestone: | none → kilo-3 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-3 → 2015.1.0 |
the part of the stacktrace that looks suspicious is that it's failing at `validate_ v2_token` , i'm wondering if this is caused by nova/keystonemi ddleware incorrectly using v2 endpoints?