2017-05-11 18:22:13 |
prashkre |
description |
Token which are generated using keystoneauth1.session.get/post doesn't have roles, project and catalog information.
>>> from keystoneauth1 import session
>>> from keystoneauth1 import identity
>>> auth = identity.v3.Token('https://localhost:5000/v3', 'gAAAAABZFFOeoAYgNRrCDav6UHGM1Zo63kVk4V2mZ_7D41eCdiJUjw8xzo7eJxJR2vAxRaVljc_OUEErrmU9FsTh6OJi01w9D5hc-pAZPlHzZm-fmExPrEHUZQ1Uz9BI31UpDq_iNg4Im2m1cU8xiBdcUpJZeYKh6gxvL95MMlnttCle5u9y15UDB0I2QY2Sy1LEQ9UoEXVO4wk5M4KgOhVRdF36hEY8dpeH0Zo-MB6N6LqiNvHCWko')
>>> s = session.Session(auth=auth, verify=False)
>>> resp = s.get('http://localhost:9292/v2/images', headers={'Accept': 'application/json'})
>>> resp
<Response [200]>
>>> resp.request.headers
{'Connection': 'keep-alive', 'X-Auth-Token': 'gAAAAABZFFPxqrUAkNLOCDGalLVzYutnQoFXlAyCHuSbqOQPzzuFposxT806oJ3WUXd4gTnDkXNFVXCT10gd3fdVHBkIOqlI2pVh_Fba29FKz8knMRwXGaZaRCeZrnbbGGJsDHMlbLhXB11NM5iEKBHrhXQkWrFSHdfG7IyF00XLiFh2ag3hMICBQKSkenr--Wv3OosLuvFErzsQiKC-HYu04EqOSyiDNc9vRs0OIr9pNynF65NCyPM', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'User-Agent': 'keystoneauth1/2.18.0 python-requests/2.10.0 CPython/2.7.5'}
GET /v3/auth/tokens
X-Subject-Token: gAAAAABZFFPxqrUAkNLOCDGalLVzYutnQoFXlAyCHuSbqOQPzzuFposxT806oJ3WUXd4gTnDkXNFVXCT10gd3fdVHBkIOqlI2pVh_Fba29FKz8knMRwXGaZaRCeZrnbbGGJsDHMlbLhXB11NM5iEKBHrhXQkWrFSHdfG7IyF00XLiFh2ag3hMICBQKSkenr--Wv3OosLuvFErzsQiKC-HYu04EqOSyiDNc9vRs0OIr9pNynF65NCyPM
X-Auth-Token:
gAAAAABZFFOeoAYgNRrCDav6UHGM1Zo63kVk4V2mZ_7D41eCdiJUjw8xzo7eJxJR2vAxRaVljc_OUEErrmU9FsTh6OJi01w9D5hc-pAZPlHzZm-fmExPrEHUZQ1Uz9BI31UpDq_iNg4Im2m1cU8xiBdcUpJZeYKh6gxvL95MMlnttCle5u9y15UDB0I2QY2Sy1LEQ9UoEXVO4wk5M4KgOhVRdF36hEY8dpeH0Zo-MB6N6LqiNvHCWko
Response:
{"token": {"issued_at": "2017-05-11T12:07:13.000000Z", "audit_ids": ["_0-Hir4UTS-ATQmbiOP0Wg", "Zh4SNR-jREugwuoxGXL4wg"], "user": {"id": "0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9", "domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "root"}, "expires_at": "2017-05-11T18:05:50.000000Z", "methods": ["token", "password"]}} |
Token which is generated using keystoneauth1.session.get/post doesn't have roles, project and catalog information.
>>> from keystoneauth1 import session
>>> from keystoneauth1 import identity
>>> auth = identity.v3.Token('https://localhost:5000/v3', 'gAAAAABZFFOeoAYgNRrCDav6UHGM1Zo63kVk4V2mZ_7D41eCdiJUjw8xzo7eJxJR2vAxRaVljc_OUEErrmU9FsTh6OJi01w9D5hc-pAZPlHzZm-fmExPrEHUZQ1Uz9BI31UpDq_iNg4Im2m1cU8xiBdcUpJZeYKh6gxvL95MMlnttCle5u9y15UDB0I2QY2Sy1LEQ9UoEXVO4wk5M4KgOhVRdF36hEY8dpeH0Zo-MB6N6LqiNvHCWko')
>>> s = session.Session(auth=auth, verify=False)
>>> resp = s.get('http://localhost:9292/v2/images', headers={'Accept': 'application/json'})
>>> resp
<Response [200]>
>>> resp.request.headers
{'Connection': 'keep-alive', 'X-Auth-Token': 'gAAAAABZFFPxqrUAkNLOCDGalLVzYutnQoFXlAyCHuSbqOQPzzuFposxT806oJ3WUXd4gTnDkXNFVXCT10gd3fdVHBkIOqlI2pVh_Fba29FKz8knMRwXGaZaRCeZrnbbGGJsDHMlbLhXB11NM5iEKBHrhXQkWrFSHdfG7IyF00XLiFh2ag3hMICBQKSkenr--Wv3OosLuvFErzsQiKC-HYu04EqOSyiDNc9vRs0OIr9pNynF65NCyPM', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'User-Agent': 'keystoneauth1/2.18.0 python-requests/2.10.0 CPython/2.7.5'}
GET /v3/auth/tokens
X-Subject-Token: gAAAAABZFFPxqrUAkNLOCDGalLVzYutnQoFXlAyCHuSbqOQPzzuFposxT806oJ3WUXd4gTnDkXNFVXCT10gd3fdVHBkIOqlI2pVh_Fba29FKz8knMRwXGaZaRCeZrnbbGGJsDHMlbLhXB11NM5iEKBHrhXQkWrFSHdfG7IyF00XLiFh2ag3hMICBQKSkenr--Wv3OosLuvFErzsQiKC-HYu04EqOSyiDNc9vRs0OIr9pNynF65NCyPM
X-Auth-Token:
gAAAAABZFFOeoAYgNRrCDav6UHGM1Zo63kVk4V2mZ_7D41eCdiJUjw8xzo7eJxJR2vAxRaVljc_OUEErrmU9FsTh6OJi01w9D5hc-pAZPlHzZm-fmExPrEHUZQ1Uz9BI31UpDq_iNg4Im2m1cU8xiBdcUpJZeYKh6gxvL95MMlnttCle5u9y15UDB0I2QY2Sy1LEQ9UoEXVO4wk5M4KgOhVRdF36hEY8dpeH0Zo-MB6N6LqiNvHCWko
Response:
{"token": {"issued_at": "2017-05-11T12:07:13.000000Z", "audit_ids": ["_0-Hir4UTS-ATQmbiOP0Wg", "Zh4SNR-jREugwuoxGXL4wg"], "user": {"id": "0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9", "domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "root"}, "expires_at": "2017-05-11T18:05:50.000000Z", "methods": ["token", "password"]}} |
|
2017-05-12 11:49:00 |
Divya K Konoor |
description |
Token which is generated using keystoneauth1.session.get/post doesn't have roles, project and catalog information.
>>> from keystoneauth1 import session
>>> from keystoneauth1 import identity
>>> auth = identity.v3.Token('https://localhost:5000/v3', 'gAAAAABZFFOeoAYgNRrCDav6UHGM1Zo63kVk4V2mZ_7D41eCdiJUjw8xzo7eJxJR2vAxRaVljc_OUEErrmU9FsTh6OJi01w9D5hc-pAZPlHzZm-fmExPrEHUZQ1Uz9BI31UpDq_iNg4Im2m1cU8xiBdcUpJZeYKh6gxvL95MMlnttCle5u9y15UDB0I2QY2Sy1LEQ9UoEXVO4wk5M4KgOhVRdF36hEY8dpeH0Zo-MB6N6LqiNvHCWko')
>>> s = session.Session(auth=auth, verify=False)
>>> resp = s.get('http://localhost:9292/v2/images', headers={'Accept': 'application/json'})
>>> resp
<Response [200]>
>>> resp.request.headers
{'Connection': 'keep-alive', 'X-Auth-Token': 'gAAAAABZFFPxqrUAkNLOCDGalLVzYutnQoFXlAyCHuSbqOQPzzuFposxT806oJ3WUXd4gTnDkXNFVXCT10gd3fdVHBkIOqlI2pVh_Fba29FKz8knMRwXGaZaRCeZrnbbGGJsDHMlbLhXB11NM5iEKBHrhXQkWrFSHdfG7IyF00XLiFh2ag3hMICBQKSkenr--Wv3OosLuvFErzsQiKC-HYu04EqOSyiDNc9vRs0OIr9pNynF65NCyPM', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'User-Agent': 'keystoneauth1/2.18.0 python-requests/2.10.0 CPython/2.7.5'}
GET /v3/auth/tokens
X-Subject-Token: gAAAAABZFFPxqrUAkNLOCDGalLVzYutnQoFXlAyCHuSbqOQPzzuFposxT806oJ3WUXd4gTnDkXNFVXCT10gd3fdVHBkIOqlI2pVh_Fba29FKz8knMRwXGaZaRCeZrnbbGGJsDHMlbLhXB11NM5iEKBHrhXQkWrFSHdfG7IyF00XLiFh2ag3hMICBQKSkenr--Wv3OosLuvFErzsQiKC-HYu04EqOSyiDNc9vRs0OIr9pNynF65NCyPM
X-Auth-Token:
gAAAAABZFFOeoAYgNRrCDav6UHGM1Zo63kVk4V2mZ_7D41eCdiJUjw8xzo7eJxJR2vAxRaVljc_OUEErrmU9FsTh6OJi01w9D5hc-pAZPlHzZm-fmExPrEHUZQ1Uz9BI31UpDq_iNg4Im2m1cU8xiBdcUpJZeYKh6gxvL95MMlnttCle5u9y15UDB0I2QY2Sy1LEQ9UoEXVO4wk5M4KgOhVRdF36hEY8dpeH0Zo-MB6N6LqiNvHCWko
Response:
{"token": {"issued_at": "2017-05-11T12:07:13.000000Z", "audit_ids": ["_0-Hir4UTS-ATQmbiOP0Wg", "Zh4SNR-jREugwuoxGXL4wg"], "user": {"id": "0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9", "domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "root"}, "expires_at": "2017-05-11T18:05:50.000000Z", "methods": ["token", "password"]}} |
The primary problem reported in the defect is that when a keystoneauth1 identity Token is set in the session and a REST call is made, the session does not use the same token for making the call.
auth = identity.v3.Token(auth_url, token)
s = session.Session(auth=auth, verify=False)
resp = s.get('http://localhost:9292/v2/images', headers={'Accept': 'application/json'}
Even though the token has been explicitly as part of the v3.Token object , the token that is set is not user to make the REST call. Instead a new unscoped token is generated. This new unscoped token which is generated doesn't have roles, project and catalog information as seen below
{"token": {"issued_at": "2017-05-11T12:07:13.000000Z", "audit_ids": ["_0-Hir4UTS-ATQmbiOP0Wg", "Zh4SNR-jREugwuoxGXL4wg"], "user": {"id": "0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9", "domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "root"}, "expires_at": "2017-05-11T18:05:50.000000Z", "methods": ["token", "password"]}}
The flow here is :
1. Using the keystoneauth1 session object a post call is made with the auth v3.Token object set.
2. When we make a session call, control comes here
>> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/session.py#L491
>> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/session.py#L818
>> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/plugin.py#L90
The keystoneauth1.identity.v3.Token object does not have an implementation for get_token so the control finally falls back on the keystoneauth1 identity base implementation which is probably not even applicable for keystone v3.
>> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/base.py#L90
>> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/base.py#L135
>> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/base.py#L92
The above check for re-authenticate always returns True as it does not consider the token that has been passed into the v3.Token object and in all cases goes on to create a new token, which is subsequently used to make the REST call, which happens here>>
https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/v3/base.py#L112
https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/v3/base.py#L166
3. To resolve the above problem I overrided the get_token method inside v3.Token to return the token that was passed in instead of a re-authentication and everything worked fine..Of course this is more of a hack to check if this helped fix this problem. The below doesn't have logic to check if the token was going to expire and if re-authentication was required etc.
class Token(base.AuthConstructor):
_auth_method_class = TokenMethod
token_new = None
def __init__(self, auth_url, token, **kwargs):
super(Token, self).__init__(auth_url, token=token, **kwargs)
self.token_new = token
def get_token(self, session, **kwargs):
return self.token_new |
|