glance will return 401 error if the request token contains url code

Bug #1783290 reported by wangxiyuan on 2018-07-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance Client
High
wangxiyuan

Bug Description

Now glanceclient will encode the request headers before sending the request to server to handle RFC8187. https://review.openstack.org/#/c/568698

The request header contains the token info from Keystone. Then it'll lead a case that if a token contains some url code, like "+", glanceclient will change it to '%2B' first.

Then the server side can't valid the changed token, then raise 401 error.

The upstream CI doesn't notice this bug because Keystone use fernet token which doesn't contain url char by default. But token format in keystone is plugable, some out-tree token formats may contain url char (for example, PKI/PKIZ token).

We find this bug when testing some OpenStack Public Clouds. These Public Clouds still use PKI/PKIZ token. After we upgrade our glanceclient to a higher version, this bug occured.

So a solution here is to skip encode token header in glanceclient.

Another solution may be to decode the headers in Glance or keystoenmiddleware. But it's not the best way IMO. Because we can't let these Public Cloud upgrade or backport the fix at once. And on the other hand, I assume community should ensure that a higher client can work well with a lower server.

wangxiyuan (wangxiyuan) on 2018-07-24
description: updated
Brian Rosmaita (brian-rosmaita) wrote :
Changed in python-glanceclient:
milestone: none → 2.11.2
status: New → Triaged
importance: Undecided → High
assignee: nobody → wangxiyuan (wangxiyuan)
Changed in python-glanceclient:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/583468
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=818362147d0622752d051bd78ae839497a602e44
Submitter: Zuul
Branch: master

commit 818362147d0622752d051bd78ae839497a602e44
Author: wangxiyuan <email address hidden>
Date: Wed Jul 18 11:30:10 2018 +0800

    Do not quote '+' for token header

    The token in request header may contain url char, such as '+',
    if quote it, '+' will change to '%2B' which will lead to 401 error.

    Our CI doesn't notice this bug because Keystone use fernet token
    which doesn't contain url char by default. But token format in
    keystone is plugable, some out-tree token formats may contain
    url char (for example, PKI/PKIZ token).

    So we should skip quote token to avoiding information changing.

    Closes-bug: #1783290
    Change-Id: I5aa71b3e2b9b19581e46ccf8a80eda5d637f17d1

Changed in python-glanceclient:
status: In Progress → Fix Released

This issue was fixed in the openstack/python-glanceclient 2.12.0 release.

Reviewed: https://review.openstack.org/585937
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=eba4bb06d9aeaaf18a7e393ae8c03d47bd052f20
Submitter: Zuul
Branch: master

commit eba4bb06d9aeaaf18a7e393ae8c03d47bd052f20
Author: wangxiyuan <email address hidden>
Date: Thu Jul 26 11:31:08 2018 +0800

    Skip quote '=' for token header

    If the token is encoded by base64, it may contain '=' char
    as well.

    We should skip quoting it.

    Change-Id: I1ca63d251fa366f0e8e58128d45b729a2489b65c
    Partial-Bug: #1783290

Reviewed: https://review.openstack.org/586232
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=f15d91d1c875ea6c012d377566292662f546aa3d
Submitter: Zuul
Branch: stable/rocky

commit f15d91d1c875ea6c012d377566292662f546aa3d
Author: wangxiyuan <email address hidden>
Date: Thu Jul 26 11:31:08 2018 +0800

    Skip quote '=' for token header

    If the token is encoded by base64, it may contain '=' char
    as well.

    We should skip quoting it.

    Change-Id: I1ca63d251fa366f0e8e58128d45b729a2489b65c
    Partial-Bug: #1783290
    (cherry picked from commit eba4bb06d9aeaaf18a7e393ae8c03d47bd052f20)

tags: added: in-stable-rocky
Changed in python-glanceclient:
milestone: 2.12.0 → 2.12.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers