list revoked tokens API returns 500 InternalServerError
The documentation [1] says that the API should return list of expired PKI tokens, signed by the cryptographic message syntax (CMS) but
I am using token format as UUID.
[1] https://developer.openstack.org/api-ref/identity/v3/?expanded=list-revoked-tokens-detail#list-revoked-tokens
Sample program:
1 from keystoneauth1.identity import v3
2 from keystoneauth1 import session
3 from keystoneclient.v3 import client
4 auth = v3.Password(auth_url='http://<host-ip>/identity/v3',
5 user_id=<user_id>,
6 password=<password>,
7 project_id=<project-id>)
8 sess = session.Session(auth=auth)
9 keystone = client.Client(session=sess)
10
11 a = keystone.tokens.get_revoked()
The API which is getting used is below:
GET http://<host-ip>/identity/v3/auth/tokens/OS-PKI/revoked
Curl command:
$ curl -g -i -X GET http://10.232.48.201/identity/v3/auth/tokens/OS-PKI/revoked -H "X-Auth-Token: eb8fc9de9d154c6daa6b26a14d7c4e0f"
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Jun 2017 05:51:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 143
x-openstack-request-id: req-a6517dc2-08ac-4d62-8d21-c3405159e1f3
Connection: close
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}
command prompt traceback:
Traceback (most recent call last):
File "3_keystoneclient_program.py", line 12, in <module>
a = keystone.tokens.get_revoked()
File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
return wrapped(*args, **kwargs)
File "/opt/stack/python-keystoneclient/keystoneclient/v3/tokens.py", line 62, in get_revoked
resp, body = self._client.get(path)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 223, in get
return self.request(url, 'GET', **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 382, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 148, in request
return self.session.request(url, method, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
return wrapped(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 655, in request
raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.InternalServerError: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7004583f-3556-4b38-877a-b7669b3df3f8)
Keystone logs:
2017-06-07 11:07:13.262 DEBUG keystone.middleware.auth [req-78ad2fdd-6a2d-4489-96c0
-98c7373b3eb2 None None] Authenticating user token from (pid=9498) process_request
/usr/local/lib/python2.7/dist-packages/keystonemiddleware/auth_token/__init__.py:40
1
2017-06-07 11:07:13.270 DEBUG keystone.middleware.auth [req-44f7294f-8430-48d3-b9a6
-4f531544c893 None None] RBAC: auth_context: {'is_delegated_auth': False, 'access_t
oken_id': None, 'user_id': u'3ad182b5723d4e88b97ea7a52bf50cea', 'roles': [u'admin']
, 'user_domain_id': u'default', 'consumer_id': None, 'trustee_id': None, 'is_domain
': False, 'is_admin_project': True, 'trustor_id': None, 'token': <KeystoneToken (au
dit_id=lYYEPEZaT_m5X-15TEepPQ, audit_chain_id=lYYEPEZaT_m5X-15TEepPQ) at 0x7f9872b4
f3c8>, 'project_id': u'c76af8728a56496fb67c6ace6e78657d', 'trust_id': None, 'projec
t_domain_id': u'default'} from (pid=9498) fill_context /opt/stack/keystone/keystone
/middleware/auth.py:239
2017-06-07 11:07:13.271 INFO keystone.common.wsgi [req-44f7294f-8430-48d3-b9a6-4f53
1544c893 None None] GET http://10.232.48.201/identity/v3/auth/tokens/OS-PKI/revoked
2017-06-07 11:07:13.271 DEBUG keystone.common.authorization [req-44f7294f-8430-48d3
-b9a6-4f531544c893 None None] RBAC: Authorizing identity:revocation_list() from (pi
d=9498) _build_policy_check_credentials /opt/stack/keystone/keystone/common/authori
zation.py:136
2017-06-07 11:07:13.272 DEBUG keystone.policy.backends.rules [req-44f7294f-8430-48d
3-b9a6-4f531544c893 None None] enforce identity:revocation_list: {'is_delegated_aut
h': False, 'access_token_id': None, 'user_id': u'3ad182b5723d4e88b97ea7a52bf50cea',
'roles': [u'admin'], 'user_domain_id': u'default', 'consumer_id': None, 'trustee_i
d': None, 'is_domain': False, 'is_admin_project': True, 'trustor_id': None, 'token'
: <KeystoneToken (audit_id=lYYEPEZaT_m5X-15TEepPQ, audit_chain_id=lYYEPEZaT_m5X-15TEepPQ) at 0x7f9872b4f3c8>, 'project_id': u'c76af8728a56496fb67c6ace6e78657d', 'trust_id': None, 'project_domain_id': u'default'} from (pid=9498) enforce /opt/stack/keystone/keystone/policy/backends/rules.py:33
2017-06-07 11:07:13.274 DEBUG keystone.common.authorization [req-44f7294f-8430-48d3-b9a6-4f531544c893 None None] RBAC: Authorization granted from (pid=9498) check_policy /opt/stack/keystone/keystone/common/authorization.py:240
Wed Jun 7 09:49:23 2017 - SIGPIPE: writing to a closed pipe/socket/fd (probably th
e client disconnected) on request /identity/v3/auth/tokens/OS-PKI/revoked (ip 10.23
2.48.201) !!!
2017-06-07 09:49:23.972 ERROR keystoneclient.common.cms [req-7004583f-3556-4b38-877
a-b7669b3df3f8 None None] Signing error: Unable to load certificate - ensure you ha
ve configured PKI with "keystone-manage pki_setup"
2017-06-07 09:49:23.972 ERROR keystone.common.wsgi [req-7004583f-3556-4b38-877a-b76
69b3df3f8 None None] Command 'openssl' returned non-zero exit status 3: CalledProce
ssError: Command 'openssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi Traceback (most recent call last
):
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/common/wsgi.py", line 228, in __call__
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi result = method(req, **param
s)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/common/controller.py", line 94, in inner
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi return f(self, request, *arg
s, **kwargs)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/auth/controllers.py", line 350, in revocation_list
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi CONF.signing.keyfile)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7
/dist-packages/keystoneclient/common/cms.py", line 336, in cms_sign_text
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi signing_key_file_name, messa
ge_digest=message_digest)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7
/dist-packages/keystoneclient/common/cms.py", line 384, in cms_sign_data
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi raise subprocess.CalledProce
ssError(retcode, 'openssl')
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi CalledProcessError: Command 'ope
nssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi
[pid: 9498|app: 0|req: 13930/27834] 10.232.48.201 () {58 vars in 1084 bytes} [Wed J
un 7 09:49:23 2017] GET /identity/v3/auth/tokens/OS-PKI/revoked => generated 143 b
ytes in 67 msecs (HTTP/1.1 500) 5 headers in 196 bytes (1 switches on core 0)
It looks like the issue is due to:
"Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
The OS-PKI work in keystone has been removed and it is no longer possible to return revoked PKI tokens since PKI tokens have been removed. But, we should be handling this case better.