list revoked tokens API returns 500 when pki_setup is not run

Bug #1696308 reported by Dinesh Bhor on 2017-06-07
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Unassigned

Bug Description

list revoked tokens API returns 500 InternalServerError

The documentation [1] says that the API should return list of expired PKI tokens, signed by the cryptographic message syntax (CMS) but
I am using token format as UUID.

[1] https://developer.openstack.org/api-ref/identity/v3/?expanded=list-revoked-tokens-detail#list-revoked-tokens

Sample program:

  1 from keystoneauth1.identity import v3
  2 from keystoneauth1 import session
  3 from keystoneclient.v3 import client
  4 auth = v3.Password(auth_url='http://<host-ip>/identity/v3',
  5 user_id=<user_id>,
  6 password=<password>,
  7 project_id=<project-id>)
  8 sess = session.Session(auth=auth)
  9 keystone = client.Client(session=sess)
 10
 11 a = keystone.tokens.get_revoked()

The API which is getting used is below:

GET http://<host-ip>/identity/v3/auth/tokens/OS-PKI/revoked

Curl command:
$ curl -g -i -X GET http://10.232.48.201/identity/v3/auth/tokens/OS-PKI/revoked -H "X-Auth-Token: eb8fc9de9d154c6daa6b26a14d7c4e0f"
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Jun 2017 05:51:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 143
x-openstack-request-id: req-a6517dc2-08ac-4d62-8d21-c3405159e1f3
Connection: close

{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}

command prompt traceback:

Traceback (most recent call last):
  File "3_keystoneclient_program.py", line 12, in <module>
    a = keystone.tokens.get_revoked()
  File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/opt/stack/python-keystoneclient/keystoneclient/v3/tokens.py", line 62, in get_revoked
    resp, body = self._client.get(path)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 223, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 382, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 148, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 655, in request
    raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.InternalServerError: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7004583f-3556-4b38-877a-b7669b3df3f8)

Keystone logs:

2017-06-07 11:07:13.262 DEBUG keystone.middleware.auth [req-78ad2fdd-6a2d-4489-96c0
-98c7373b3eb2 None None] Authenticating user token from (pid=9498) process_request
/usr/local/lib/python2.7/dist-packages/keystonemiddleware/auth_token/__init__.py:40
1
2017-06-07 11:07:13.270 DEBUG keystone.middleware.auth [req-44f7294f-8430-48d3-b9a6
-4f531544c893 None None] RBAC: auth_context: {'is_delegated_auth': False, 'access_t
oken_id': None, 'user_id': u'3ad182b5723d4e88b97ea7a52bf50cea', 'roles': [u'admin']
, 'user_domain_id': u'default', 'consumer_id': None, 'trustee_id': None, 'is_domain
': False, 'is_admin_project': True, 'trustor_id': None, 'token': <KeystoneToken (au
dit_id=lYYEPEZaT_m5X-15TEepPQ, audit_chain_id=lYYEPEZaT_m5X-15TEepPQ) at 0x7f9872b4
f3c8>, 'project_id': u'c76af8728a56496fb67c6ace6e78657d', 'trust_id': None, 'projec
t_domain_id': u'default'} from (pid=9498) fill_context /opt/stack/keystone/keystone
/middleware/auth.py:239
2017-06-07 11:07:13.271 INFO keystone.common.wsgi [req-44f7294f-8430-48d3-b9a6-4f53
1544c893 None None] GET http://10.232.48.201/identity/v3/auth/tokens/OS-PKI/revoked
2017-06-07 11:07:13.271 DEBUG keystone.common.authorization [req-44f7294f-8430-48d3
-b9a6-4f531544c893 None None] RBAC: Authorizing identity:revocation_list() from (pi
d=9498) _build_policy_check_credentials /opt/stack/keystone/keystone/common/authori
zation.py:136
2017-06-07 11:07:13.272 DEBUG keystone.policy.backends.rules [req-44f7294f-8430-48d
3-b9a6-4f531544c893 None None] enforce identity:revocation_list: {'is_delegated_aut
h': False, 'access_token_id': None, 'user_id': u'3ad182b5723d4e88b97ea7a52bf50cea',
 'roles': [u'admin'], 'user_domain_id': u'default', 'consumer_id': None, 'trustee_i
d': None, 'is_domain': False, 'is_admin_project': True, 'trustor_id': None, 'token'
: <KeystoneToken (audit_id=lYYEPEZaT_m5X-15TEepPQ, audit_chain_id=lYYEPEZaT_m5X-15TEepPQ) at 0x7f9872b4f3c8>, 'project_id': u'c76af8728a56496fb67c6ace6e78657d', 'trust_id': None, 'project_domain_id': u'default'} from (pid=9498) enforce /opt/stack/keystone/keystone/policy/backends/rules.py:33
2017-06-07 11:07:13.274 DEBUG keystone.common.authorization [req-44f7294f-8430-48d3-b9a6-4f531544c893 None None] RBAC: Authorization granted from (pid=9498) check_policy /opt/stack/keystone/keystone/common/authorization.py:240

Wed Jun 7 09:49:23 2017 - SIGPIPE: writing to a closed pipe/socket/fd (probably th
e client disconnected) on request /identity/v3/auth/tokens/OS-PKI/revoked (ip 10.23
2.48.201) !!!
2017-06-07 09:49:23.972 ERROR keystoneclient.common.cms [req-7004583f-3556-4b38-877
a-b7669b3df3f8 None None] Signing error: Unable to load certificate - ensure you ha
ve configured PKI with "keystone-manage pki_setup"
2017-06-07 09:49:23.972 ERROR keystone.common.wsgi [req-7004583f-3556-4b38-877a-b76
69b3df3f8 None None] Command 'openssl' returned non-zero exit status 3: CalledProce
ssError: Command 'openssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi Traceback (most recent call last
):
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/common/wsgi.py", line 228, in __call__
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi result = method(req, **param
s)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/common/controller.py", line 94, in inner
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi return f(self, request, *arg
s, **kwargs)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/auth/controllers.py", line 350, in revocation_list
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi CONF.signing.keyfile)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7
/dist-packages/keystoneclient/common/cms.py", line 336, in cms_sign_text
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi signing_key_file_name, messa
ge_digest=message_digest)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7
/dist-packages/keystoneclient/common/cms.py", line 384, in cms_sign_data
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi raise subprocess.CalledProce
ssError(retcode, 'openssl')
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi CalledProcessError: Command 'ope
nssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi
[pid: 9498|app: 0|req: 13930/27834] 10.232.48.201 () {58 vars in 1084 bytes} [Wed J
un 7 09:49:23 2017] GET /identity/v3/auth/tokens/OS-PKI/revoked => generated 143 b
ytes in 67 msecs (HTTP/1.1 500) 5 headers in 196 bytes (1 switches on core 0)

Lance Bragstad (lbragstad) wrote :

It looks like the issue is due to:

"Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"

The OS-PKI work in keystone has been removed and it is no longer possible to return revoked PKI tokens since PKI tokens have been removed. But, we should be handling this case better.

Changed in keystone:
status: New → Triaged
importance: Undecided → High
Lance Bragstad (lbragstad) wrote :

Setting this to high since it is backwards incompatible when keystone-manage pki_setup hasn't been run in the deployment.

Lance Bragstad (lbragstad) wrote :

On second thought, if a deployment is not expecting to issue or use PKI tokens, a 500 seems like the right response. We take a similar stance when using Fernet tokens. If a key repository hasn't been setup to encrypt and decrypt tokens, keystone will 500 the authentication or validation request [0].

Bumping this to wishlist in case we want to provide a better description in the error (maybe something that eludes to PKI not being used or useful).

[0] https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L33-L45

Changed in keystone:
importance: High → Wishlist
tags: added: low-hanging-fruit
summary: - list revoked tokens API returns 500 InternalServerError
+ list revoked tokens API returns 500 when pki_setup is not run
Nisha Yadav (ynisha11) on 2017-06-14
Changed in keystone:
assignee: nobody → Nisha Yadav (ynisha11)
Lance Bragstad (lbragstad) wrote :

Another thing we can do now that PKI isn't in master, is make it so that API returns an empty list.

Changed in keystone:
milestone: none → pike-rc1
Matthew Edmonds (edmondsw) wrote :

revoked tokens weren't specific to PKI (contrary to some documentation and code comments). They worked with UUID tokens as well as long as you setup the certificate signing (since the revocation list is signed... i.e., signing wasn't just for PKI). I suspect someone believed the incorrect docs/comments and removed more than they should have here...

Lance Bragstad (lbragstad) wrote :

Ah - good to know. In that case, we should take steps to clarify the documentation and comments.

Lance Bragstad (lbragstad) wrote :

There is a patch up that addresses this - https://review.openstack.org/#/c/490685/

Changed in keystone:
status: Triaged → In Progress
Lance Bragstad (lbragstad) wrote :

Bumping this from rc1 since the proposed solution contains an API change. We need to discuss approaches like this at the PTG (microversions).

Changed in keystone:
milestone: pike-rc1 → none
Lance Bragstad (lbragstad) wrote :

Automatically unassigning due to inactivity.

Changed in keystone:
assignee: Nisha Yadav (ynisha11) → nobody
Colleen Murphy (krinkle) on 2018-10-29
tags: removed: low-hanging-fruit
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers