OpenStack Identity (keystone)

user creation with fernet tokens results in 401

Bug #1431434 reported by Boris Bobrov on 2015-03-12

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Unassigned	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

creater_user.json:

{
    "user": {
        "enabled": true,
        "name": "breton",
        "password": "123123"
    }
}

[DEFAULT]admin_token = ADMIN

$ curl -k -H "X-Auth-Token:ADMIN" -H "Content-type: application/json" -d @create_user.json http://localhost:35357/v3/users | python -mjson.tool
{
    "error": {
        "code": 401,
        "message": "This is not a recognized Fernet formatted token: ADM (Disable debug mode to suppress these details.)",
        "title": "Unauthorized"
    }
}

Logs from keystone-all: http://paste.openstack.org/show/191866/

Tags:

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-03-12:

#1

This will definitely be impacted by https://review.openstack.org/#/c/162031/

tags:	added: fernet
Changed in keystone:
importance:	Undecided → Critical
importance:	Critical → High

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-03-13:

#2

With the latest master (55d940c70be405e6dcf48eaa4aed0c2d766aadeb) I get
{
    "error": {
        "code": 401,
        "message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)",
        "title": "Unauthorized"
    }
}

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-03-13:

#3

I am not sure now that this is fernet-related bug. Or fernet-relation was fixed by https://review.openstack.org/#/c/162031/

summary:	- user creation with fernet tokens results in 401 + user creation with admin_token results in 401: Unauthorized
tags:	removed: fernet
tags:	added: fernet
summary:	- user creation with admin_token results in 401: Unauthorized + user creation with fernet tokens results in 401

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-03-13:

#4

*because I can reproduce it on 4325113f163137976ccb625ea5f324e75beed44e

Revision history for this message

Haneef Ali (haneef) wrote on 2015-03-13:

#5

Are you using domain scoped token? If so it may be due to roles not returned for fernet tokens for domain scoped token

https://bugs.launchpad.net/keystone/+bug/1430433

I was able to reproduce yours only with domain scoped token

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2015-03-18:

#6

Boris,

Are you able to recreate with this branch?

https://review.openstack.org/#/c/165520/

There has been a significant amount of change in the fernet implementation recently as patches have been landing.

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-03-19:

#7

it's not fernet-related problem. "keystoneclient.openstack.common.apiclient.exceptions.Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401)" happens even with uuid. So lets mark this bug as fixed/invalid and I'll open a new one.

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-03-19:

#8

fix commited in https://review.openstack.org/#/c/165520/

Changed in keystone:
status:	New → Fix Committed

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-03-19:

#9

https://bugs.launchpad.net/keystone/+bug/1434000 -- new bug

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.