keystone.middleware.auth logs an opaque debug message

Hello Cindy,

I'm digging through the traces you've provided. As far as I can tell, the error that you're seeing is only providing some information about the authorization context [0]. I believe I have seen this using more recent releases and the message still exists in the code base today [1]. Is there anything about it that is causing an unexpected behavior in your deployment?

[0] http://cdn.pasteraw.com/oolimjgy2xxrxpd9u98xmzl8mgs7xk
[1] https://github.com/openstack/keystone/blob/aeb51c84bb92d02715208aa8435aa3fd36564c72/keystone/middleware/auth.py#L187-L190

Here is the error message from the curl request. I changed domain name to id and that works???? see below. can you help me understand why using the domain name failed ?

{"error": {"message": "Expecting to find valid JSON in request body - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}

 curl http://haproxy2-st:35357/v3 | python -mjson.tool

  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 251 100 251 0 0 35070 0 --:--:-- --:--:-- --:--:-- 41833
{
    "version": {
        "id": "v3.6",
        "links": [
            {
                "href": "http://haproxy2-st:35357/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-04-04T00:00:00Z"
    }
}

curl command fails with name: which is default but works with the domain id: ????

./newcurlrequest.sh

curl -i -H "Content-Type: application/json" -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "admin",
          "domain": { "id": "2e5995228c794cc78abcd82a5df7f19c" },
          "password": "xxxxxxx"
        }
      }
    },
    "scope": {
      "project": {
        "name": "admin",
        "domain": { "id": "2e5995228c794cc78abcd82a5df7f19c" }
      }
    }
  }
}' http://haproxy2-st:35357/v3/auth/tokens; echo
~
~
openstack domain list
+----------------------------------+----------+---------+----------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------+---------+----------------+
| 2e5995228c794cc78abcd82a5df7f19c | default | True | Default Domain |
| 9e5e2f7597d34d0fb5a635a719fe45b1 | attswift | True | |
+----------------------------------+----------+---------+----------------+

HTTP/1.1 201 Created
Date: Mon, 06 Feb 2017 19:58:37 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Subject-Token: gAAAAABYmNVu-D3cHP7psRuy-40dqx9o0Rzc2ohHA-mG6j23lZOFSRfNPTW-BruWTepVC0wdW9qJgOI-7mV5iraIf8g8j9M5BUSxDoV3619-lpMqGRKg0Pf_qoq8pCCCNRXSsQmCb9IHi_OD_OzTAI0He54DYUPn-yy5aqUbP6FBDUv21rmoigQ
Vary: X-Auth-Token
X-Distribution: Ubuntu
x-openstack-request-id: req-ac1f51e5-ba11-4ac7-810d-d80762f2a8cd
Content-Length: 1770
Content-Type: application/json

{"token": {"methods": ["password"], "roles": [{"id": "e002e7e8058f473a87e5ad6292bfbec9", "name": "admin"}], "expires_at": "2017-02-06T20:58:38.025897Z", "project": {"domain": {"id": "2e5995228c794cc78abcd82a5df7f19c", "name": "default"}, "id": "6c3e9efe2ba44eacbe6fb1068805308d", "name": "admin"}, "catalog": [{"endpoints": [{"region_id": "vtil-swift-2", "url": "http://haproxy2-st:8080/v1/AUTH_6c3e9efe2ba44eacbe6fb1068805308d", "region": "vtil-swift-2", "interface": "internal", "id": "075cc9014b584c848d93db40fa5ef89a"}, {"re...

Looks like keystone is failing to parse the body of the request. Do you have a copy of the request you made? It doesn't look like the previous comment contains the request that gave you that error.

(Note: keystone doesn't do XML anymore so that request wouldn't work anymore)

The error message in question 'There is either no auth token in the request...' is a debug message that is meant to help us while developing. It really is there to let us know that no token, cert, etc. was included in the request. In the case if getting a token that's always going to be logged since you don't yet have a token.

So you have 1 successful REST request using the API and another successful requestion using the openstack client. I originally thought that specifying the domain name was broken. It worked fine for me so I took a closer look at your request and found that there we lots of JSON errors.

 1. Use 'Default' and not 'default' when specifying the name.
 2. There are a few places that don't open or close double quotes properly
 3. There is a period instead of a comma in between the identity and scope sections
 4. There is a ) instead of a } to end the domain section