keystonemiddleware

return invalid user token error code to user (401) due to internal server error (500)

Bug #1112167 reported by Samuel XJ
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystonemiddleware
Invalid
Medium
Ajaya Agrawal

Bug Description

When a client executes a "nova boot" command, nova-api needs to communicate with keystone (via keystone/middleware/auth_token.py in essex version) to authenticate the user's token. If some internal error happens at the keystone side, for example, if keystone cannot connect to the database backend (mysqld in our case), then keystone will return a 500 status code to nova-api, indicating a server internal error.

However, when nova-api receives the response from keystone (in _validate_user_token in keystone/middleware/auth_token.py), it checks the response status code and in this case raises an InvalidUserToken exception, which in turn causes the external user (issuing "nova boot") to receive a 401 error code from nova-api.

It seems that in the above scenario, the external user should receive a 500 status code instead of a 401 status code from nova-api. The client's token is indeed valid so a 401 status code is confusing in this case.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21235

Changed in python-keystoneclient:
assignee: nobody → Lin Hua Cheng (lin-hua-cheng)
status: New → In Progress
Lin Hua Cheng (lin-hua-cheng)
Changed in python-keystoneclient:
assignee: Lin Hua Cheng (lin-hua-cheng) → nobody
status: In Progress → New
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/30113

Changed in python-keystoneclient:
assignee: nobody → Adam Young (ayoung)
status: New → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

The first patch above merged in https://github.com/openstack/python-keystoneclient/commit/d3583cad27b1f667965573a737e4c6e5971e4285 but that does not address this bug.

Changed in python-keystoneclient:
assignee: Adam Young (ayoung) → nobody
Dolph Mathews (dolph)
Changed in python-keystoneclient:
importance: Undecided → Medium
status: In Progress → Confirmed
Christophe Sauthier (christophe.sauthier)
Changed in python-keystoneclient:
assignee: nobody → Christophe Sauthier (christophe.sauthier)
Ajaya Agrawal (ajayaa)
Changed in python-keystoneclient:
assignee: Christophe Sauthier (christophe.sauthier) → Ajaya Agrawal (ajayaa)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/101206

Changed in python-keystoneclient:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-keystoneclient (master)

Change abandoned by Ajaya Agrawal (<email address hidden>) on branch: master
Review: https://review.openstack.org/101206

Ajaya Agrawal (ajayaa)
affects: python-keystoneclient → keystonemiddleware
Revision history for this message
Dolph Mathews (dolph) wrote :

Has the above change been proposed against keystonemiddleware? If so, can someone provide a link here? Thanks!

Revision history for this message
Ajaya Agrawal (ajayaa) wrote :

dolphm: https://review.openstack.org/#/c/106010/

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

Adding bits of my comment from the review here:

I am not convinced that 500 because keystone is unavailable is the correct return code. The token was unable to be validated, this is a 401. It is an auth error not a Nova internal server error. In any case where we can't validate a token it should be 401.

Why would Nova return a 500 on an invalid token? It is not a failure within Nova.

Revision history for this message
Ajaya Agrawal (ajayaa) wrote :

++ Morgan Fainberg
This bug should be marked invalid.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystonemiddleware (master)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: master
Review: https://review.openstack.org/106010
Reason: Change is abandoned. This can be restored (by the author or a core member) if the conversation should continue.

Morgan Fainberg (mdrnstm)
Changed in keystonemiddleware:
status: In Progress → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.