attempt to re-authenticate on possible token expiry re-uses expired token

Bug #1192656 reported by Eoghan Glynn on 2013-06-19
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
python-novaclient
Undecided
Eoghan Glynn

Bug Description

The attempt to re-authenticate on possible token expiry actually re-uses the expired token, which is clearly bound to fail in the expired case.

As a result, unless the client explicitly handles the 401, a novaclient instance will stop working once the original token has expired (by default after 24 hours).

This issue may have been masked by the recently discovered & fixed vulnerability whereby signed tokens where not being properly checked for expiry:

    https://bugs.launchpad.net/python-keystoneclient/+bug/1179615

Eoghan Glynn (eglynn) on 2013-06-19
Changed in python-novaclient:
assignee: nobody → Eoghan Glynn (eglynn)
status: New → In Progress

Reviewed: https://review.openstack.org/33685
Committed: http://github.com/openstack/python-novaclient/commit/909a53b161b8936dddb40dd25e346c2cbb8db416
Submitter: Jenkins
Branch: master

commit 909a53b161b8936dddb40dd25e346c2cbb8db416
Author: Eoghan Glynn <email address hidden>
Date: Wed Jun 19 18:27:24 2013 +0000

    Discard possibly expired token before re-authenticating

    Fixes bug 1192656

    Previously, the attempt to re-authenticate on possible token
    expiry actually re-used the expired token, which was clearly
    bound to fail in the expired case.

    Now the old authentication state is discarded before attempting
    re-authentication.

    Change-Id: I3fd125702061f7ac84eb501d2a488aab5b2385b9

Changed in python-novaclient:
status: In Progress → Fix Committed
Changed in python-novaclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers