user creation with fernet tokens results in 401

Bug #1431434 reported by Boris Bobrov on 2015-03-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Unassigned

Bug Description

creater_user.json:

{
    "user": {
        "enabled": true,
        "name": "breton",
        "password": "123123"
    }
}

[DEFAULT]admin_token = ADMIN

$ curl -k -H "X-Auth-Token:ADMIN" -H "Content-type: application/json" -d @create_user.json http://localhost:35357/v3/users | python -mjson.tool
{
    "error": {
        "code": 401,
        "message": "This is not a recognized Fernet formatted token: ADM (Disable debug mode to suppress these details.)",
        "title": "Unauthorized"
    }
}

Logs from keystone-all: http://paste.openstack.org/show/191866/

Dolph Mathews (dolph) wrote :

This will definitely be impacted by https://review.openstack.org/#/c/162031/

tags: added: fernet
Changed in keystone:
importance: Undecided → Critical
importance: Critical → High
Boris Bobrov (bbobrov) wrote :

With the latest master (55d940c70be405e6dcf48eaa4aed0c2d766aadeb) I get
{
    "error": {
        "code": 401,
        "message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)",
        "title": "Unauthorized"
    }
}

Boris Bobrov (bbobrov) wrote :

I am not sure now that this is fernet-related bug. Or fernet-relation was fixed by https://review.openstack.org/#/c/162031/

summary: - user creation with fernet tokens results in 401
+ user creation with admin_token results in 401: Unauthorized
tags: removed: fernet
tags: added: fernet
summary: - user creation with admin_token results in 401: Unauthorized
+ user creation with fernet tokens results in 401
Boris Bobrov (bbobrov) wrote :

*because I can reproduce it on 4325113f163137976ccb625ea5f324e75beed44e

Haneef Ali (haneef) wrote :

Are you using domain scoped token? If so it may be due to roles not returned for fernet tokens for domain scoped token

https://bugs.launchpad.net/keystone/+bug/1430433

I was able to reproduce yours only with domain scoped token

Lance Bragstad (lbragstad) wrote :

Boris,

Are you able to recreate with this branch?

https://review.openstack.org/#/c/165520/

There has been a significant amount of change in the fernet implementation recently as patches have been landing.

Boris Bobrov (bbobrov) wrote :

it's not fernet-related problem. "keystoneclient.openstack.common.apiclient.exceptions.Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401)" happens even with uuid. So lets mark this bug as fixed/invalid and I'll open a new one.

Boris Bobrov (bbobrov) wrote :
Changed in keystone:
status: New → Fix Committed
Thierry Carrez (ttx) on 2015-03-19
Changed in keystone:
milestone: none → kilo-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers