2015-06-01 21:53:24 |
HT_Sergio |
bug |
|
|
added bug |
2015-06-01 22:55:08 |
Morgan Fainberg |
keystonemiddleware: importance |
Undecided |
High |
|
2015-06-01 22:55:08 |
Morgan Fainberg |
keystonemiddleware: status |
New |
Fix Released |
|
2015-06-02 02:15:34 |
Dolph Mathews |
keystonemiddleware: milestone |
|
1.1.0 |
|
2015-06-02 03:40:57 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
2015-06-02 13:32:38 |
HT_Sergio |
description |
When a service (nova, cinder, etc) checks a user's token, it's possible the service's token has become invalid and needs to be refreshed before checking the user's token. However, there is a bug in keystonemiddleware v1.0.0 which doesn't properly refresh the token, so the invalid token is used twice and keystonemiddleware incorrectly asserts that the user's token is invalid. This causes all API requests to return 401 Unauthorized until the service is restarted:
Nova:
ERROR: Unauthorized (HTTP 401) (Request-ID: ...)
Cinder:
ERROR: Unauthorized (HTTP 401)
Glance:
Request returned failure status.
Invalid OpenStack Identity credentials.
This bug is fixed in v1.1.0
I'm creating this issue because Ubuntu packages v1.0.0 so potentially many people are running into this problem but I didn't see a bug report for it. The solution is to use literally any other version of keystonemiddleware :) v1.1.1 worked for me. |
When a service (nova, cinder, etc) checks a user's token, it's possible the service's token has become invalid and needs to be refreshed before checking the user's token. However, there is a bug in keystonemiddleware v1.0.0 which doesn't properly refresh the token, so the invalid token is used twice and keystonemiddleware incorrectly asserts that the user's token is invalid. This causes all API requests to return 401 Unauthorized until the service is restarted:
Nova:
ERROR: Unauthorized (HTTP 401) (Request-ID: ...)
Cinder:
ERROR: Unauthorized (HTTP 401)
Glance:
Request returned failure status.
Invalid OpenStack Identity credentials.
This bug is fixed in v1.1.0
I'm creating this issue because Ubuntu packages v1.0.0 so potentially many people are running into this problem but I didn't see a bug report for it. The solution is to use a newer version of keystonemiddleware. |
|
2015-06-15 13:49:38 |
Corey Bryant |
bug task added |
|
python-keystonemiddleware (Ubuntu) |
|
2015-06-15 13:50:01 |
Corey Bryant |
nominated for series |
|
Ubuntu Trusty |
|
2015-06-15 13:50:14 |
Corey Bryant |
python-keystonemiddleware (Ubuntu): status |
New |
Invalid |
|
2015-06-15 13:52:09 |
Corey Bryant |
nominated for series |
|
Ubuntu Utopic |
|
2015-06-15 14:08:37 |
James Page |
bug task added |
|
python-keystonemiddleware (Ubuntu Utopic) |
|
2015-06-15 14:08:42 |
James Page |
python-keystonemiddleware (Ubuntu): status |
Invalid |
Fix Released |
|
2015-06-15 18:58:42 |
Corey Bryant |
summary |
admin token is not properly refreshed if it expires in v1.0.0 |
[SRU] admin token is not properly refreshed if it expires in v1.0.0 |
|
2015-06-15 19:01:28 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2015-06-15 19:41:38 |
Launchpad Janitor |
branch linked |
|
lp:~corey.bryant/ubuntu/utopic/python-keystonemiddleware/1.0.0-1ubuntu1 |
|
2015-06-17 14:18:43 |
James Page |
python-keystonemiddleware (Ubuntu Utopic): importance |
Undecided |
High |
|
2015-06-17 20:45:53 |
Corey Bryant |
description |
When a service (nova, cinder, etc) checks a user's token, it's possible the service's token has become invalid and needs to be refreshed before checking the user's token. However, there is a bug in keystonemiddleware v1.0.0 which doesn't properly refresh the token, so the invalid token is used twice and keystonemiddleware incorrectly asserts that the user's token is invalid. This causes all API requests to return 401 Unauthorized until the service is restarted:
Nova:
ERROR: Unauthorized (HTTP 401) (Request-ID: ...)
Cinder:
ERROR: Unauthorized (HTTP 401)
Glance:
Request returned failure status.
Invalid OpenStack Identity credentials.
This bug is fixed in v1.1.0
I'm creating this issue because Ubuntu packages v1.0.0 so potentially many people are running into this problem but I didn't see a bug report for it. The solution is to use a newer version of keystonemiddleware. |
[Impact]
When a service (nova, cinder, etc) checks a user's token, it's possible the service's token has become invalid and needs to be refreshed before checking the user's token. However, there is a bug in keystonemiddleware v1.0.0 which doesn't properly refresh the token, so the invalid token is used twice and keystonemiddleware incorrectly asserts that the user's token is invalid. This causes all API requests to return 401 Unauthorized until the service is restarted:
Nova:
ERROR: Unauthorized (HTTP 401) (Request-ID: ...)
Cinder:
ERROR: Unauthorized (HTTP 401)
Glance:
Request returned failure status.
Invalid OpenStack Identity credentials.
This bug is fixed in v1.1.0
I'm creating this issue because Ubuntu packages v1.0.0 so potentially many people are running into this problem but I didn't see a bug report for it. The solution is to use a newer version of keystonemiddleware.
[Test Case]
1. start the service with a username, password, and tenant
2. perform some API request, so the server (ie. nova) gets a token and caches it internally
3. restart memcache, purging the service's cached token
4. perform the API request again
[Regression Potential]
The fix provided is minimal and has very low regression potential. |
|
2015-06-18 18:06:01 |
Launchpad Janitor |
python-keystonemiddleware (Ubuntu Utopic): status |
New |
Confirmed |
|
2015-06-22 13:32:37 |
Corey Bryant |
python-keystonemiddleware (Ubuntu Utopic): status |
Confirmed |
In Progress |
|
2015-06-24 17:53:50 |
Chris J Arges |
python-keystonemiddleware (Ubuntu Utopic): status |
In Progress |
Fix Committed |
|
2015-06-24 17:53:54 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2015-06-24 17:53:57 |
Chris J Arges |
tags |
401 unauthorized |
401 unauthorized verification-needed |
|
2015-06-24 18:03:41 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/utopic-proposed/python-keystonemiddleware |
|
2015-06-25 09:31:57 |
Shuichiro MAKIGAKI |
bug |
|
|
added subscriber Shuichiro MAKIGAKI |
2015-07-02 15:34:54 |
Corey Bryant |
tags |
401 unauthorized verification-needed |
401 unauthorized verification-done |
|
2015-07-08 13:14:21 |
Launchpad Janitor |
python-keystonemiddleware (Ubuntu Utopic): status |
Fix Committed |
Fix Released |
|
2015-07-08 13:14:28 |
Chris J Arges |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|