When a client executes a "nova boot" command, nova-api needs to communicate with keystone (via keystone/middleware/auth_token.py in essex version) to authenticate the user's token. If some internal error happens at the keystone side, for example, if keystone cannot connect to the database backend (mysqld in our case), then keystone will return a 500 status code to nova-api, indicating a server internal error.
However, when nova-api receives the response from keystone (in _validate_user_token in keystone/middleware/auth_token.py), it checks the response status code and in this case raises an InvalidUserToken exception, which in turn causes the external user (issuing "nova boot") to receive a 401 error code from nova-api.
It seems that in the above scenario, the external user should receive a 500 status code instead of a 401 status code from nova-api. The client's token is indeed valid so a 401 status code is confusing in this case.
Fix proposed to branch: master /review. openstack. org/21235
Review: https:/