| 2012-02-29 00:18:18 |
Joseph Heck |
description |
from http://etherpad.openstack.org/keystone-admin-config:
the service tries to get a new admin token when the user's token fails to validated (see below for example)
(heckj) desired behavior? It should fail and return a 401 unauthorized response.
(jesse) if the user's token doesn't validate it means the user's token is invalid, which is different than failing to validate because the auth middleware's token is not valid. item #3 is about not being able to get a admin token, whereas this is about the user's token being wrong
(related to bug #942984) (keystone)
(related to bug #942983) (keystone)
(depends on bug #942979) (devstack)
Example:
Glance fails after on essex-kvm (and others) after you use an invalid token
* This fails because auth_token is cleared after an attempt to validate any token fails under the (outdated) assumption that admin_token has expired and a new one is needed. this is why I think item #3 is needed. a response code should say 503 Service unavailable - and then on the log for keystone explain why it is failing (failed to retrieve token for tenant/user service/glance)
$ glance index
$ glance -A 6f6d341bc6914aa3b30b5408cd35813e index
both return:
ID Name Disk Format Container Format Size
------------------------------------ ------------------------------ -------------------- -------------------- --------------
8e43673a-78a6-463a-acd5-bd43fb089244 cirros-0.3.0-x86_64-rootfs ami ami 25165824
c7bdd9cb-ca04-4b6f-a0b3-465d63b5246f cirros-0.3.0-x86_64-blank-ramd ari ari 2254249
313b5457-9015-4692-853a-ebd7b5ab76cc cirros-0.3.0-x86_64-blank ami ami 25165824
df669e1d-2355-434c-abc2-e97496de1754 cirros-0.3.0-x86_64-blank-kern aki aki 4731440
b0a5025e-b9bd-4ca8-99cf-c55f1b9cc296 oneiric-server-cloudimg-amd64 ami ami 1476395008
885adc2c-026f-42c7-b292-ff64aea6256c oneiric-server-cloudimg-amd64- aki aki 4738064
6caca3a3-0bc5-4655-84bb-11baa753d1d0 natty-server-cloudimg-amd64 ami ami 1476395008
497a1632-fc1f-4772-8959-518b0bd8fab0 natty-server-cloudimg-amd64-ke aki aki 4596064
87c7ca1b-cd28-4dcf-ade6-3bba4abb130f ttylinux-uec-amd64-11.2_2.6.35 aki aki 4435920
08dc282b-42c7-4cf8-a122-f90214c0ce23 ttylinux-uec-amd64-11.2_2.6.35 ami ami 16777216
Then kill glance via:
$ glance -A FOO index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
Then any queries to glance fails until glance is restarted:
$ glance -A 6f6d341bc6914aa3b30b5408cd35813e index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
$ glance index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...). |
from http://etherpad.openstack.org/keystone-admin-config:
the service tries to get a new admin token when the user's token fails to validated (see below for example)
(heckj) desired behavior? It should fail and return a 401 unauthorized response.
(jesse) if the user's token doesn't validate it means the user's token is invalid, which is different than failing to validate because the auth middleware's token is not valid. bug #942984 is about not being able to get a admin token, whereas this is about the user's token being wrong
(related to bug #942984) (keystone)
(related to bug #942983) (keystone)
(depends on bug #942979) (devstack)
Example:
Glance fails after on essex-kvm (and others) after you use an invalid token
* This fails because auth_token is cleared after an attempt to validate any token fails under the (outdated) assumption that admin_token has expired and a new one is needed. this is why I think item #3 is needed. a response code should say 503 Service unavailable - and then on the log for keystone explain why it is failing (failed to retrieve token for tenant/user service/glance)
$ glance index
$ glance -A 6f6d341bc6914aa3b30b5408cd35813e index
both return:
ID Name Disk Format Container Format Size
------------------------------------ ------------------------------ -------------------- -------------------- --------------
8e43673a-78a6-463a-acd5-bd43fb089244 cirros-0.3.0-x86_64-rootfs ami ami 25165824
c7bdd9cb-ca04-4b6f-a0b3-465d63b5246f cirros-0.3.0-x86_64-blank-ramd ari ari 2254249
313b5457-9015-4692-853a-ebd7b5ab76cc cirros-0.3.0-x86_64-blank ami ami 25165824
df669e1d-2355-434c-abc2-e97496de1754 cirros-0.3.0-x86_64-blank-kern aki aki 4731440
b0a5025e-b9bd-4ca8-99cf-c55f1b9cc296 oneiric-server-cloudimg-amd64 ami ami 1476395008
885adc2c-026f-42c7-b292-ff64aea6256c oneiric-server-cloudimg-amd64- aki aki 4738064
6caca3a3-0bc5-4655-84bb-11baa753d1d0 natty-server-cloudimg-amd64 ami ami 1476395008
497a1632-fc1f-4772-8959-518b0bd8fab0 natty-server-cloudimg-amd64-ke aki aki 4596064
87c7ca1b-cd28-4dcf-ade6-3bba4abb130f ttylinux-uec-amd64-11.2_2.6.35 aki aki 4435920
08dc282b-42c7-4cf8-a122-f90214c0ce23 ttylinux-uec-amd64-11.2_2.6.35 ami ami 16777216
Then kill glance via:
$ glance -A FOO index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
Then any queries to glance fails until glance is restarted:
$ glance -A 6f6d341bc6914aa3b30b5408cd35813e index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...).
$ glance index
Not authorized to make this request. Check your credentials (OS_AUTH_USER, OS_AUTH_KEY, ...). |
|
