Requests auth issue when there are multiple threads or processes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
Observed in train:
Steps to reproduce:
1. Setup devstack(
2. Make the below config changes and restart keystone.
cat /etc/keystone/
```
{
"admin_required": "role:admin or is_admin:1",
"identity:
}
```
cat /etc/keystone/
```
[identity]
domain_
password_
driver = sql
[assignment]
driver = sql
[role]
driver = sql
[resource]
driver = sql
[cache]
memcache_servers = localhost:11211
backend = dogpile.
enabled = True
[oslo_messaging
transport_url = rabbit:
[DEFAULT]
max_token_size = 16384
debug = True
logging_
logging_
logging_
logging_
admin_endpoint = http://
public_endpoint = http://
[token]
provider = fernet
cache_time = 3600
caching = true
expiration = 43200
[revoke]
cache_time = 3600
caching = true
[role]
cache_time = 3600
caching = true
[database]
connection = mysql+pymysql:
[fernet_tokens]
key_repository = /etc/keystone/
[credential]
key_repository = /etc/keystone/
[security_
unique_
lockout_duration = 10
lockout_
```
cat /etc/keystone/
```
[uwsgi]
chmod-socket = 666
socket = /var/run/
lazy-apps = true
add-header = Connection: close
buffer-size = 65535
hook-master-start = unix_signal:15 gracefully_
thunder-lock = true
plugins = http,python
enable-threads = true
worker-reload-mercy = 90
exit-on-reload = false
die-on-term = true
master = true
processes = 2
threads = 2
wsgi-file = /usr/local/
```
3. Create test creds.
openstack domain create --description "Test Domain" test-domain
openstack project create --domain Test-Domain --description "Test Project" test-token
openstack user create --domain Test-Domain --password 123456 test-user
4. Test script, provide the admin, test creds and required ids in the test script.
# test-script.py
http://
5. Run the test script, python3 test-script.py <no of test repeations>
Run: python3 test-script.py 10
Expected final outcome: For the above script test-user with 'admin' role should be allowed to get the default domain config and when the role is switched to 'member' role get request response should be '403'. SCRIPT OUTPUT: ACTION EXECUTIONS: 20 PASS: 20 FAIL: 0
Actual final outcome: Random failures, http://
NOTE: Please increase the processes and/or threads count in /etc/keystone/
Analysis: The above provided script yields successful result when there are one or few processes and/or threads configured in /etc/keystone/
Will try to fetch and provide keystone logs when possible.