cannot use newly issued token immediately after admin password change
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The following issue was observed while running an automated job which changed the password of the admin account (Pike release was used). If an admin token is issued immediately after the admin password is changed, using the token to authenticate to Keystone is met with an Unauthorized error:
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
Steps to reproduce this:
1. generate a token with the current admin password:
curl -d '{"auth"
http://
2. change the admin password using the token generated at step 1:
curl -X PUT -d '{"user":{"id": "<admin-
-H "X-Auth-
-H "Content-type: application/json" \
http://
3. generate a token with the new admin password:
curl -d '{"auth"
-H "Content-type: application/json" \
http://
4. run a simple check using the token generated at 3.:
curl -H "X-Auth-
http://
To reproduce this issue, step 4 needs to be executed immediately after 3. Inserting a 1-2 second delay between 3 and 4 makes the problem go away.
The same issue can be reproduced using v3 API calls instead of 2.0:
1. generate a token with the current admin password:
curl -i -d '{
"password"
"password" : "password",
"domain" : {
"name": "Default" cluster- data.vn1. cloud.suse. de:35357/ v3/auth/ tokens
"auth": {
"identity": {
"methods": [
],
"password": {
"user": {
"name": "admin",
}
}
}
},
"scope": {
"project": {
"name": "admin",
"domain": {
"name": "Default"
}
}
}
}
}' \
-H "Content-type: application/json" \
http://
2. change the admin password using the token generated at step 1:
curl -X PATCH -d '{ default_ project_ id": <admin- project- uuid>, Token:< token-id> " \ cluster- data.vn1. cloud.suse. de:35357/ v3/users/<admin-user-uuid>
"user": {
"name": "admin",
"password": "newpassword",
"
"domain_id": "default",
"enabled": true
}
}' \
-H "X-Auth-
-H "Content-type: application/json" \
http://
3. generate a token with the new admin password:
curl -i -d '{
"password"
"password" : "newpassword",
"domain" : {
"name": "Default" cluster- data.vn1. cloud.suse. de:35357/ v3/auth/ tokens
"auth": {
"identity": {
"methods": [
],
"password": {
"user": {
"name": "admin",
}
}
}
},
"scope": {
"project": {
"name": "admin",
"domain": {
"name": "Default"
}
}
}
}
}' \
-H "Content-type: application/json" \
http://
4. run a simple check using the token generated at 3.:
curl -H "X-Auth- Token:< token-id> " \ cluster- data.vn1. cloud.suse. de:35357/ v3/services
http://