python-keystoneclient

Fail to start WSGI service with revocation_cache_time set

Bug #1354269 reported by Qiu Yu on 2014-08-08

This bug report is a duplicate of: Bug #1353315: Incorrect condition expression for ssl_insecure (CVE-2014-7144). Edit Remove

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystonemiddleware	Triaged	Low	Unassigned
	python-keystoneclient	Won't Fix	Undecided	Qiu Yu

Bug Description

In Nova with auth_token middleware, add revocation_cache_time to [filter:authtoken] section in /etc/nova/api-paste.ini

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = <auth host ip>
auth_port = 35357
auth_protocol = http
admin_tenant_name = <admin tenant>
admin_user = <admin user>
admin_password = <admin pass
signing_dir = /tmp/keystone-signing-nova
revocation_cache_time = 100

Start nova-api, then the service exists with following message.

2014-08-08 04:34:57.276 22485 CRITICAL nova [-] unsupported type for timedelta seconds component: str
2014-08-08 04:34:57.462 22494 INFO nova.openstack.common.service [-] Parent process has died unexpectedly, exiting
2014-08-08 04:34:57.463 22494 INFO nova.wsgi [-] Stopping WSGI server.

Qiu Yu (unicell) on 2014-08-08

summary:

- Fail to WSGI service with revocation_cache_time set
+ Fail to start WSGI service with revocation_cache_time set

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-08: Fix proposed to python-keystoneclient (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/112756

Changed in python-keystoneclient:
assignee:	nobody → Qiu Yu (unicell)
status:	New → In Progress

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-08-08:

#2

This very well may be an Olso.config bug as you've set an Int value in the config to an inttype option. Second this is not a security fix and therefore should be proposed to keystonemiddleware first. We can evaluate if it will be accepted to keystoneclient's copy of the code (currently frozen and will not receive anything except security updates).

Changed in python-keystoneclient:
status:	In Progress → Incomplete

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-08-08:

#3

Also, what release of OpenStack are you using and what version of keystoneclient?

Changed in keystonemiddleware:
status:	New → Incomplete

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-08-08:

#4

Ok, so looking over the code, the issue is that the oslo.config options are not used to process the config data passed in from the paste-ini. If the option is set in the nova.conf it should get the correct type.

This should be fixed (if at all possible) by forcing the options to be loaded into the oslo config object and use the type management of oslo.config instead of accepting *whatever* the paste config ends up being.

Changed in python-keystoneclient:
status:	Incomplete → Won't Fix
Changed in keystonemiddleware:
status:	Incomplete → Triaged
importance:	Undecided → Low

Revision history for this message

Qiu Yu (unicell) wrote on 2014-08-11:

#5

Hi Morgan,

Yes, that's the reason why using revocation_cache_time inside paste-ini has type errors.

Since many paste-ini variables are handled by explicit type conversion (such as auth_port), do you think it worth to submit my previous fix to keystonemiddleware? Cause for oslo.config, type validation only happens when reading conf file and parsing options. There's no easy way to force one value to be loaded into Opt object at runtime.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-08-20:

#6

There is another related bug 1353315 it might make sense to combine efforts and/or see if that fix can be used to fix this one as well.

In either case, you are welcome to submit your fix to keystonemiddleware. It is definitely a bug.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-05: Change abandoned on python-keystoneclient (master)

#7

Change abandoned by Qiu Yu (<email address hidden>) on branch: master
Review: https://review.openstack.org/112756

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-09-27:

#8

I am going to mark this as a duplicate of bug 1353315, it looks like as long as you're using the latest oslo.config and the keystonemiddleware package this should now be resolved. Please don't hesitate to reopen this/discuss in IRC if this is not the case.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1353315 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.