Create OAUTH request token gives 401 error when request url is admin endpoint

Bug #1687593 reported by Hemanth Nakkina on 2017-05-02
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Hemanth Nakkina
Newton
High
Lance Bragstad
Ocata
High
Lance Bragstad
python-keystoneclient
Undecided
xuhaigang

Bug Description

Create request token API returns 401 error when the request URL is admin endpoint.

Error scenario:
URL used to generate OAUTH signature and for POST request is Keystone admin endpoint
http://<keystone ip:port>/identity_admin/v3/OS-OAUTH1/request_token

Working scenario:
When the URL used to generate OAUTH signature is public endpoint, then the response is 201.
http://<keystone ip:port>/identity/v3/OS-OAUTH1/request_token

Endpoints in devstack for identity:
ocata@ocata-VirtualBox:~/devstack$ openstack endpoint list | grep identity
| 549f73e17b0e471e95176bb508561bb3 | RegionOne | keystone | identity | True | internal | http://192.168.56.101/identity |
| 739cda51666f4ab197241beac5c5c14c | RegionOne | keystone | identity | True | admin | http://192.168.56.101/identity_admin |
| a0eb39c0ecff46c3b61bc6184c42bc13 | RegionOne | keystone | identity | True | public | http://192.168.56.101/identity

Steps to reproduce the problem:

Run the python script in the below link (by changing the necessary credentials and IP address)
https://pastebin.com/AqL9674n

If #L38 is modified to public endpoint (http://<keystone ip:port>/identity/v3/OS-OAUTH1/request_token), the status code is 201.

Seems like Keystone code verifies the OAUTH signature using Public endpoint irrespective of the request URL.

Hemanth Nakkina (hemanth-n) wrote :

This bug fix will affect Python keystoneclient as in the current version 'openstack request token create' always uses Public endpoint during OAUTH signature irrespective of --os-interface specified.

Changed in keystone:
assignee: nobody → Hemanth Nakkina (hemanth-n)
Hemanth Nakkina (hemanth-n) wrote :

This bug is applicable for 2 API - OAUTH create request token and OAUTH create access token

Fix proposed to branch: master
Review: https://review.openstack.org/461736

Changed in keystone:
status: New → In Progress
no longer affects: python-keystoneclient (Ubuntu)

Reviewed: https://review.openstack.org/461736
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=926685c5a4823d7e3ab3879bae1529052fff7d68
Submitter: Jenkins
Branch: master

commit 926685c5a4823d7e3ab3879bae1529052fff7d68
Author: Hemanth Nakkina <email address hidden>
Date: Tue May 2 16:44:21 2017 +0530

    Change url passed to oauth signature verifier to request url

    OAUTH signature verification should happen with the same URL used for signing.
    Typically at the user end it should be signed with the request URL and hence it
    should be verified with the same.
    Currently keystone uses public endpoint URL for signature verification.

    Modified the URL passed to oauth signature verification to request URL.

    Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
    Partial-Bug: #1687593

Fix proposed to branch: master
Review: https://review.openstack.org/463831

Changed in python-keystoneclient:
assignee: nobody → xuhaigang (rocky0722)
status: New → In Progress
Hemanth Nakkina (hemanth-n) wrote :

 https://review.openstack.org/461736 does not cover the scenario where keystone endpoint is registered with HTTPS and HTTPS endpoint is terminated at HAProxy and keystone receives HTTP requests from HAProxy.

A new patch will be submitted to fix this in Keystone

Reviewed: https://review.openstack.org/464577
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b7aece57d2845fcfa45a84e6d21a6188ddd192cc
Submitter: Jenkins
Branch: master

commit b7aece57d2845fcfa45a84e6d21a6188ddd192cc
Author: Hemanth Nakkina <email address hidden>
Date: Mon May 15 14:30:24 2017 +0530

    Change url scheme passed to oauth signature verifier

    Change 461736 modifies the url passed to oauth signature verifier to
    request url. But in some deployments, https endpoints are terminated
    at haproxy and http request is sent to keystone. So request url will
    have http as url scheme whereas the endpoint is registered with https
    and signature at client is done with https url. This results in OAUTH
    signature validation failure.

    Update URL sent for OAUTH signature verification with the scheme of
    the base url.

    Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d
    Partial-Bug: #1687593

Hemanth Nakkina (hemanth-n) wrote :

Functional test cases are ready for review here - https://review.openstack.org/#/c/473245/

New Affected projects: keystone-tempest-plugin

Changed in python-keystoneclient:
assignee: xuhaigang (rocky0722) → Hemanth Nakkina (hemanth-n)
Changed in python-keystoneclient:
assignee: Hemanth Nakkina (hemanth-n) → xuhaigang (rocky0722)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/483586

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/483590

Lance Bragstad (lbragstad) wrote :

The functional tests that we added to verify this fix are being run against the stable branches, causing them to break because neither stable/ocata or stable/newton have the fix posted here. This was found and reported in https://bugs.launchpad.net/keystone/+bug/1704148.

Changed in keystone:
importance: Undecided → Medium
Lance Bragstad (lbragstad) wrote :

Marking the stable/ocata and stable/newton bugs as high since the tempest tests are currently breaking those gates.

Changed in keystone:
status: In Progress → Fix Committed
milestone: none → pike-3

Reviewed: https://review.openstack.org/483584
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=59e4b4923fb9d3d9a4cd9a3de4658abd91125fc0
Submitter: Jenkins
Branch: stable/ocata

commit 59e4b4923fb9d3d9a4cd9a3de4658abd91125fc0
Author: Hemanth Nakkina <email address hidden>
Date: Tue May 2 16:44:21 2017 +0530

    Change url passed to oauth signature verifier to request url

    OAUTH signature verification should happen with the same URL used for signing.
    Typically at the user end it should be signed with the request URL and hence it
    should be verified with the same.
    Currently keystone uses public endpoint URL for signature verification.

    Modified the URL passed to oauth signature verification to request URL.

    Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
    Partial-Bug: #1687593
    (cherry picked from commit 926685c5a4823d7e3ab3879bae1529052fff7d68)

tags: added: in-stable-ocata

Reviewed: https://review.openstack.org/483586
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=215788d26db0649686ef9ba996a45f5d4c7c1f90
Submitter: Jenkins
Branch: stable/ocata

commit 215788d26db0649686ef9ba996a45f5d4c7c1f90
Author: Hemanth Nakkina <email address hidden>
Date: Mon May 15 14:30:24 2017 +0530

    Change url scheme passed to oauth signature verifier

    Change 461736 modifies the url passed to oauth signature verifier to
    request url. But in some deployments, https endpoints are terminated
    at haproxy and http request is sent to keystone. So request url will
    have http as url scheme whereas the endpoint is registered with https
    and signature at client is done with https url. This results in OAUTH
    signature validation failure.

    Update URL sent for OAUTH signature verification with the scheme of
    the base url.

    Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d
    Partial-Bug: #1687593
    (cherry picked from commit b7aece57d2845fcfa45a84e6d21a6188ddd192cc)

tags: added: in-stable-newton

Reviewed: https://review.openstack.org/483589
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=48a5336d3d4b54f954a0100ab864a5c3f6a71380
Submitter: Jenkins
Branch: stable/newton

commit 48a5336d3d4b54f954a0100ab864a5c3f6a71380
Author: Dave Chen <email address hidden>
Date: Wed Aug 24 18:54:14 2016 +0800

    Handle token exception and use proper url for verification

    This commit is a product of two separate commits in order to unwedge
    the stable/newton gate. The first commit is a oauth refactor to
    properly handle token exceptions. The second is a patch to that
    uses the proper url when verifying an oauth request token. The
    problem is that the second patch can't be applied due to the
    refactor from the first. This commit merges the two commits
    together so that their isn't a merge conflict and it passes the
    currently broken gate.

    The first commit is:

    Handle the exception from creating access token properly

    If there is any request from client with any invalid request
    parameters, invalid signature for example, keystone should
    capture that and raise the exception.

    It was `NotImplementedError`, `TypeError` thrown out and
    presented directly to end user, and nothing helpful message
    is given.

    This patch fix that and show as many exception message that
    is helpful for diagnosis as possible.

    Change-Id: I112d0cd0c8a460c7b4d8d0e1c0b9c742aab9fde7
    Closes-Bug: #1616424
    (cherry picked from commit be5385c5389aa9c4879647c9b9e4327cc73189a2)

    This is the second commit

    Change url passed to oauth signature verifier to request url

    OAUTH signature verification should happen with the same URL used for signing.
    Typically at the user end it should be signed with the request URL and hence it
    should be verified with the same.
    Currently keystone uses public endpoint URL for signature verification.

    Modified the URL passed to oauth signature verification to request URL.

    Change-Id: I28059a43cb0088c2952c19f696042ebec54d26c9
    Partial-Bug: #1687593
    (cherry picked from commit 926685c5a4823d7e3ab3879bae1529052fff7d68)

Reviewed: https://review.openstack.org/483590
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8d3758fde99380d1258f72d489a22edacde331b7
Submitter: Jenkins
Branch: stable/newton

commit 8d3758fde99380d1258f72d489a22edacde331b7
Author: Hemanth Nakkina <email address hidden>
Date: Mon May 15 14:30:24 2017 +0530

    Change url scheme passed to oauth signature verifier

    Change 461736 modifies the url passed to oauth signature verifier to
    request url. But in some deployments, https endpoints are terminated
    at haproxy and http request is sent to keystone. So request url will
    have http as url scheme whereas the endpoint is registered with https
    and signature at client is done with https url. This results in OAUTH
    signature validation failure.

    Update URL sent for OAUTH signature verification with the scheme of
    the base url.

    Change-Id: Iaba285985b616a35e3dfe33cdd45667174e7c69d
    Partial-Bug: #1687593
    (cherry picked from commit b7aece57d2845fcfa45a84e6d21a6188ddd192cc)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers