list revoked tokens API returns 500 when pki_setup is not run
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Wishlist
|
Unassigned |
Bug Description
list revoked tokens API returns 500 InternalServerError
The documentation [1] says that the API should return list of expired PKI tokens, signed by the cryptographic message syntax (CMS) but
I am using token format as UUID.
Sample program:
1 from keystoneauth1.
2 from keystoneauth1 import session
3 from keystoneclient.v3 import client
4 auth = v3.Password(
5 user_id=<user_id>,
6 password=
7 project_
8 sess = session.
9 keystone = client.
10
11 a = keystone.
The API which is getting used is below:
GET http://<host-ip>
Curl command:
$ curl -g -i -X GET http://
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Jun 2017 05:51:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 143
x-openstack-
Connection: close
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}
command prompt traceback:
Traceback (most recent call last):
File "3_keystoneclie
a = keystone.
File "/usr/local/
return wrapped(*args, **kwargs)
File "/opt/stack/
resp, body = self._client.
File "/usr/local/
return self.request(url, 'GET', **kwargs)
File "/usr/local/
resp = super(LegacyJso
File "/usr/local/
return self.session.
File "/usr/local/
return wrapped(*args, **kwargs)
File "/usr/local/
raise exceptions.
keystoneauth1.
Keystone logs:
2017-06-07 11:07:13.262 DEBUG keystone.
-98c7373b3eb2 None None] Authenticating user token from (pid=9498) process_request
/usr/local/
1
2017-06-07 11:07:13.270 DEBUG keystone.
-4f531544c893 None None] RBAC: auth_context: {'is_delegated_
oken_id': None, 'user_id': u'3ad182b5723d4
, 'user_domain_id': u'default', 'consumer_id': None, 'trustee_id': None, 'is_domain
': False, 'is_admin_project': True, 'trustor_id': None, 'token': <KeystoneToken (au
dit_id=
f3c8>, 'project_id': u'c76af8728a564
t_domain_id': u'default'} from (pid=9498) fill_context /opt/stack/
/middleware/
2017-06-07 11:07:13.271 INFO keystone.
1544c893 None None] GET http://
2017-06-07 11:07:13.271 DEBUG keystone.
-b9a6-4f531544c893 None None] RBAC: Authorizing identity:
d=9498) _build_
zation.py:136
2017-06-07 11:07:13.272 DEBUG keystone.
3-b9a6-4f531544c893 None None] enforce identity:
h': False, 'access_token_id': None, 'user_id': u'3ad182b5723d4
'roles': [u'admin'], 'user_domain_id': u'default', 'consumer_id': None, 'trustee_i
d': None, 'is_domain': False, 'is_admin_project': True, 'trustor_id': None, 'token'
: <KeystoneToken (audit_
2017-06-07 11:07:13.274 DEBUG keystone.
Wed Jun 7 09:49:23 2017 - SIGPIPE: writing to a closed pipe/socket/fd (probably th
e client disconnected) on request /identity/
2.48.201) !!!
2017-06-07 09:49:23.972 ERROR keystoneclient.
a-b7669b3df3f8 None None] Signing error: Unable to load certificate - ensure you ha
ve configured PKI with "keystone-manage pki_setup"
2017-06-07 09:49:23.972 ERROR keystone.
69b3df3f8 None None] Command 'openssl' returned non-zero exit status 3: CalledProce
ssError: Command 'openssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.
):
2017-06-07 09:49:23.972 TRACE keystone.
tone/common/
2017-06-07 09:49:23.972 TRACE keystone.
s)
2017-06-07 09:49:23.972 TRACE keystone.
tone/common/
2017-06-07 09:49:23.972 TRACE keystone.
s, **kwargs)
2017-06-07 09:49:23.972 TRACE keystone.
tone/auth/
2017-06-07 09:49:23.972 TRACE keystone.
2017-06-07 09:49:23.972 TRACE keystone.
/dist-packages/
2017-06-07 09:49:23.972 TRACE keystone.
ge_digest=
2017-06-07 09:49:23.972 TRACE keystone.
/dist-packages/
2017-06-07 09:49:23.972 TRACE keystone.
ssError(retcode, 'openssl')
2017-06-07 09:49:23.972 TRACE keystone.
nssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.
[pid: 9498|app: 0|req: 13930/27834] 10.232.48.201 () {58 vars in 1084 bytes} [Wed J
un 7 09:49:23 2017] GET /identity/
ytes in 67 msecs (HTTP/1.1 500) 5 headers in 196 bytes (1 switches on core 0)
Changed in keystone: | |
assignee: | nobody → Nisha Yadav (ynisha11) |
tags: | removed: low-hanging-fruit |
It looks like the issue is due to:
"Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
The OS-PKI work in keystone has been removed and it is no longer possible to return revoked PKI tokens since PKI tokens have been removed. But, we should be handling this case better.