Keystone produce error after trying to read application_credential even if not set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
In Progress
|
Undecided
|
Douglas Mendizábal |
Bug Description
If you are authed using application credentials and try to add a loadbalancer listener with TERMINATED_HTTPS, keystone produce an error causing a 500 internal error.
After digging through the code I found that it's caused by keystone adding application_
Octavia doesn't try to use application credentials in the payload, it tries to auth with method: ["token"]. It is keystone that adds application_
Octavia auth payload is created here:
https:/
The payload sent to keystone looks like this:
{
"data": {
"auth": {
}
},
}
}
}
}
}
Keystone adds application_secret to allowed_methods here:
https:/
Keystone then tries to read the id of the application credential, which will fail as it is not included in the auth payload: https:/
This cause a keystone error and you get a 500 internal error sent back to octavia.
Steps to reproduce:
1. Create an application credential with openstack application credential create.
2. Auth using the application credential
3. Try to add a terminated_https loadbalancer with openstack loadbalancer listener create
If you want to isolate the keystone auth failure without going through octavia you can do so with:
curl -H "Content-Type: application/json" https://<keystone url>/v3/auth/tokens -d '{"auth": {"identity": {"methods": ["token"], "token": {"id": "<token id>"}}, "scope": {"project": {"id": "<project id>"}}}}'
Changed in keystone: | |
assignee: | nobody → Douglas Mendizábal (dougmendizabal) |
Changed in keystone: | |
status: | Confirmed → In Progress |
I can create a patch that checks if application_ credential is set and only then tries to read it. credential being set in the payload was deliberate or not.
But I'm not sure if the current enforcement of application_