OpenStack Identity (keystone)

Bug #1687593
Comment #18

Comment 18 for bug 1687593

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-14: Fix merged to keystone (stable/newton)

#18

Reviewed: https://review.openstack.org/483589
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=48a5336d3d4b54f954a0100ab864a5c3f6a71380
Submitter: Jenkins
Branch: stable/newton

commit 48a5336d3d4b54f954a0100ab864a5c3f6a71380
Author: Dave Chen <email address hidden>
Date: Wed Aug 24 18:54:14 2016 +0800

Handle token exception and use proper url for verification

    This commit is a product of two separate commits in order to unwedge
    the stable/newton gate. The first commit is a oauth refactor to
    properly handle token exceptions. The second is a patch to that
    uses the proper url when verifying an oauth request token. The
    problem is that the second patch can't be applied due to the
    refactor from the first. This commit merges the two commits
    together so that their isn't a merge conflict and it passes the
    currently broken gate.

The first commit is:

Handle the exception from creating access token properly

    If there is any request from client with any invalid request
    parameters, invalid signature for example, keystone should
    capture that and raise the exception.

    It was `NotImplementedError`, `TypeError` thrown out and
    presented directly to end user, and nothing helpful message
    is given.

This patch fix that and show as many exception message that
is helpful for diagnosis as possible.

    Change-Id: I112d0cd0c8a460c7b4d8d0e1c0b9c742aab9fde7
    Closes-Bug: #1616424
    (cherry picked from commit be5385c5389aa9c4879647c9b9e4327cc73189a2)

This is the second commit

Change url passed to oauth signature verifier to request url

    OAUTH signature verification should happen with the same URL used for signing.
    Typically at the user end it should be signed with the request URL and hence it
    should be verified with the same.
    Currently keystone uses public endpoint URL for signature verification.

Modified the URL passed to oauth signature verification to request URL.

    Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
    Partial-Bug: #1687593
    (cherry picked from commit 926685c5a4823d7e3ab3879bae1529052fff7d68)

Reviewed:  https://review.openstack.org/483589
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=48a5336d3d4b54f954a0100ab864a5c3f6a71380
Submitter: Jenkins
Branch:    stable/newton

commit 48a5336d3d4b54f954a0100ab864a5c3f6a71380
Author: Dave Chen <wei.d.chen@intel.com>
Date:   Wed Aug 24 18:54:14 2016 +0800

Handle token exception and use proper url for verification
    
    This commit is a product of two separate commits in order to unwedge
    the stable/newton gate. The first commit is a oauth refactor to
    properly handle token exceptions. The second is a patch to that
    uses the proper url when verifying an oauth request token. The
    problem is that the second patch can't be applied due to the
    refactor from the first. This commit merges the two commits
    together so that their isn't a merge conflict and it passes the
    currently broken gate.
    
    The first commit is:
    
    Handle the exception from creating access token properly
    
    If there is any request from client with any invalid request
    parameters, invalid signature for example, keystone should
    capture that and raise the exception.
    
    It was `NotImplementedError`, `TypeError` thrown out and
    presented directly to end user, and nothing helpful message
    is given.
    
    This patch fix that and show as many exception message that
    is helpful for diagnosis as possible.
    
    Change-Id: I112d0cd0c8a460c7b4d8d0e1c0b9c742aab9fde7
    Closes-Bug: #1616424
    (cherry picked from commit be5385c5389aa9c4879647c9b9e4327cc73189a2)
    
    This is the second commit
    
    Change url passed to oauth signature verifier to request url
    
    OAUTH signature verification should happen with the same URL used for signing.
    Typically at the user end it should be signed with the request URL and hence it
    should be verified with the same.
    Currently keystone uses public endpoint URL for signature verification.
    
    Modified the URL passed to oauth signature verification to request URL.
    
    Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
    Partial-Bug: #1687593
    (cherry picked from commit 926685c5a4823d7e3ab3879bae1529052fff7d68)