OpenStack Identity (keystone)

Execption on admin_token usage ValueError: Unrecognized

Bug #1603038 reported by Attila Fazekas on 2016-07-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Colleen Murphy	OpenStack Identity (keystone) newton-3 "n3"
	keystonemiddleware	Invalid	Undecided	Unassigned

Bug Description

1. iniset keystone.conf DEFAULT admin_token deprecated
2. reload keystone (systemctl restart httpd)
3. curl -g -i -X GET http://192.168.9.98/identity_v2_admin/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: deprecated"

I know the admin_token is deprecated, but is should be handled without throwing an extra exception.

2016-07-14 11:00:28.487 20453 WARNING keystone.middleware.core [req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] The admin_token_auth middleware presents a security risk and should be removed from the [pipeline:api_v3], [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini file.
2016-07-14 11:00:28.593 20453 DEBUG keystone.middleware.auth [req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Authenticating user token process_request /usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py:354
2016-07-14 11:00:28.593 20453 WARNING keystone.middleware.auth [req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Invalid token contents.
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth Traceback (most recent call last):
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 399, in _do_fetch_token
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth return data, access.create(body=data, auth_token=token)
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth return wrapped(*args, **kwargs)
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth File "/usr/lib/python2.7/site-packages/keystoneauth1/access/access.py", line 49, in create
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth raise ValueError('Unrecognized auth response')
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth ValueError: Unrecognized auth response
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth
2016-07-14 11:00:28.594 20453 INFO keystone.middleware.auth [req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Invalid user token
2016-07-14 11:00:28.595 20453 DEBUG keystone.middleware.auth [req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] RBAC: auth_context: {} fill_context /opt/stack/keystone/keystone/middleware/auth.py:219
2016-07-14 11:00:28.604 20453 INFO keystone.common.wsgi [req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] GET http://192.168.9.98/identity_v2_admin/v2.0/users
2016-07-14 11:00:28.604 20453 WARNING oslo_log.versionutils [req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] Deprecated: get_users of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q.
2016-07-14 11:00:28.622 20453 DEBUG oslo_db.sqlalchemy.engines [req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _check_effective_sql_mode /usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/engines.py:256

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-07-14:

This needs to be triaged and fixed asap

Changed in keystone:
milestone:	none → newton-3
importance:	Undecided → Critical

Revision history for this message

Colleen Murphy (krinkle) wrote on 2016-07-19:

It looks like this bug was introduced by https://review.openstack.org/#/c/255686/

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-07-19:

I tried recreating this and wasn't able to:

$ curl -s -H "X-Auth-Token: secret_sauce" http://localhost:5000/v3/services | python -mjson.tool
{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://172.16.240.199/identity/v3/services"
    },
    "services": [
        {
            "enabled": true,
            "id": "1bd0addef1784422b3e02d7c7555fa59",
            "links": {
                "self": "http://172.16.240.199/identity/v3/services/1bd0addef1784422b3e02d7c7555fa59"
            },
            "name": "keystone",
            "type": "identity"
        }
    ]
}

And using the example in the bug report...

$ curl -g -i -X GET http://localhost/identity_v2_admin/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: secret_sauce"
HTTP/1.1 200 OK
Date: Tue, 19 Jul 2016 22:12:10 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: X-Auth-Token
x-openstack-request-id: req-9ab61b8d-745e-404b-94d0-327954c3f644
Content-Length: 488
Content-Type: application/json

{"users": [{"username": "alt_demo", "name": "alt_demo", "enabled": true, "email": "<email address hidden>", "id": "5e0e522badda43589bbfccf93244b705"}, {"username": "admin", "enabled": true, "name": "admin", "id": "738d69a5d39c4212b7e71c0ea224785a"}, {"username": "tempo", "name": "tempo", "enabled": true, "email": null, "id": "7edd5f4bcd7d41cd923920900e8fc57e"}, {"username": "demo", "name": "demo", "enabled": true, "email": "<email address hidden>", "id": "e8c6fddeff334d8ea90ea43c2c90c195"}]}

Haven't looked into the change Colleen pointed out yet, will do that now.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-07-19:

Oh there's an exception in the log. It still works though. Lowering severity, but this should still be fixed.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-07-19:

Can you check if it's the admin token in process_request in keystonemiddleware? Now that we're all request'ed up in keystone it may be possible to check for the is_admin value?

Changed in keystone:
status:	New → Triaged
importance:	Critical → Medium
Changed in keystonemiddleware:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-19: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/344496

Changed in keystone:
assignee:	nobody → Colleen Murphy (krinkle)
status:	Triaged → In Progress

Steve Martinelli (stevemar) on 2016-08-01

Changed in keystonemiddleware:
status:	Triaged → Invalid
importance:	Medium → Undecided

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-15: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/344496
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e420b16c22288c0a8cb9b1337e56f04ca1ef8737
Submitter: Jenkins
Branch: master

commit e420b16c22288c0a8cb9b1337e56f04ca1ef8737
Author: Colleen Murphy <email address hidden>
Date: Tue Jul 19 15:41:24 2016 -0700

Skip middleware request processing for admin token

    In be558717 the request handling was refactored and more of the token
    handling was left to keystonemiddleware. However, when using the
    deprecated admin_token, the token needs to be handled differently.
    Specifically, there may be no 'token' or 'access' key in the body of
    the request, which keystoneauth expects to have keystonemiddleware pass
    to it[1][2]. Luckily the admin_token doesn't need a lot of special
    processing, so we can just skip that step and move on to fill_context.

[1] http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n399
[2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/access/access.py#n41