the service tries to get a new admin token when the user's token fails to validated
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Jesse Andrews |
Bug Description
from http://
the service tries to get a new admin token when the user's token fails to validated (see below for example)
(heckj) desired behavior? It should fail and return a 401 unauthorized response.
(jesse) if the user's token doesn't validate it means the user's token is invalid, which is different than failing to validate because the auth middleware's token is not valid. bug #942984 is about not being able to get a admin token, whereas this is about the user's token being wrong
(related to bug #942984) (keystone)
(related to bug #942983) (keystone)
(depends on bug #942979) (devstack)
Example:
Glance fails after on essex-kvm (and others) after you use an invalid token
* This fails because auth_token is cleared after an attempt to validate any token fails under the (outdated) assumption that admin_token has expired and a new one is needed. this is why I think item #3 is needed. a response code should say 503 Service unavailable - and then on the log for keystone explain why it is failing (failed to retrieve token for tenant/user service/glance)
$ glance index
$ glance -A 6f6d341bc6914aa
both return:
ID Name Disk Format Container Format Size
-------
8e43673a-
c7bdd9cb-
313b5457-
df669e1d-
b0a5025e-
885adc2c-
6caca3a3-
497a1632-
87c7ca1b-
08dc282b-
Then kill glance via:
$ glance -A FOO index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
Then any queries to glance fails until glance is restarted:
$ glance -A 6f6d341bc6914aa
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
$ glance index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
description: | updated |
Changed in keystone: | |
milestone: | essex-rc1 → essex-4 |
Changed in keystone: | |
milestone: | essex-4 → essex-rc1 |
Changed in keystone: | |
assignee: | nobody → Jesse Andrews (anotherjesse) |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | essex-rc1 → 2012.1 |
A Token not validating in this case is not a reason to return an error code. If the caller (the service) is authenticated but the token it is checking is not valid. This should return HTTP response code 200, but the body of the request should indicate that the token is invalid.