Mistral

Not enough log info when Keyclock rejects authorization

Bug #1737500 reported by Renat Akhmerov on 2017-12-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mistral	Fix Released	Medium	idan Narotzki	Mistral rocky-1 "r1"

Bug Description

When Keyclock rejects authorization to a Mistral endpoint the client receives "401 UNAUTHORIZED" without any additional details. We need to print all Keyclock response body when it happens to the log with DEBUG level so that we could investigate what happened.

Tags:

Renat Akhmerov (rakhmerov) on 2017-12-11

Changed in mistral:
milestone:	none → queens-3
importance:	Undecided → Medium

Renat Akhmerov (rakhmerov) on 2018-01-30

Changed in mistral:
milestone:	queens-3 → rocky-1

Dougal Matthews (d0ugal) on 2018-04-09

Changed in mistral:
status:	New → In Progress

Renat Akhmerov (rakhmerov) on 2018-04-11

Changed in mistral:
assignee:	nobody → idan Narotzki (idanaroz)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-12: Fix merged to mistral (master)

Reviewed: https://review.openstack.org/559661
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=1ece440ac5f4b613385b44623022421a60256bc7
Submitter: Zuul
Branch: master

commit 1ece440ac5f4b613385b44623022421a60256bc7
Author: Idan Narotzki <email address hidden>
Date: Mon Apr 9 08:37:55 2018 +0000

Adding WWW-Authenticate info.

Sometimes when mistral requests are failing with "401 Unauthorized"
against keycloak, the reason are not mentioned in the logs.

    In case keycloack return 401 it must provide the www-Authenticate
    response header with the reason:
    https://www.w3.org/Protocols/HTTP/1.0/spec.html#WWW-Authenticate

This code take care of it by adding the WWW-Authenticate value to
mistral api-log.

Change-Id: I7ae221aaeb2233184bd4818490e72ff662dca5cb
Closes-Bug: #1737500

Changed in mistral:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-15: Fix proposed to mistral (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/561454

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-19: Fix included in openstack/mistral 7.0.0.0b1

This issue was fixed in the openstack/mistral 7.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-23: Fix merged to mistral (stable/queens)

Reviewed: https://review.openstack.org/561454
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=4a399216a9bf1b92da1419b58872b258c1e26c62
Submitter: Zuul
Branch: stable/queens

commit 4a399216a9bf1b92da1419b58872b258c1e26c62
Author: Idan Narotzki <email address hidden>
Date: Mon Apr 9 08:37:55 2018 +0000

Adding WWW-Authenticate info.

Sometimes when mistral requests are failing with "401 Unauthorized"
against keycloak, the reason are not mentioned in the logs.

    In case keycloack return 401 it must provide the www-Authenticate
    response header with the reason:
    https://www.w3.org/Protocols/HTTP/1.0/spec.html#WWW-Authenticate

This code take care of it by adding the WWW-Authenticate value to
mistral api-log.

    Change-Id: I7ae221aaeb2233184bd4818490e72ff662dca5cb
    Closes-Bug: #1737500
    (cherry picked from commit 1ece440ac5f4b613385b44623022421a60256bc7)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-23: Fix included in openstack/mistral 6.0.2

This issue was fixed in the openstack/mistral 6.0.2 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.