[SRU] admin token is not properly refreshed if it expires in v1.0.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystonemiddleware |
Fix Released
|
High
|
Unassigned | ||
python-keystonemiddleware (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Utopic |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
When a service (nova, cinder, etc) checks a user's token, it's possible the service's token has become invalid and needs to be refreshed before checking the user's token. However, there is a bug in keystonemiddleware v1.0.0 which doesn't properly refresh the token, so the invalid token is used twice and keystonemiddleware incorrectly asserts that the user's token is invalid. This causes all API requests to return 401 Unauthorized until the service is restarted:
Nova:
ERROR: Unauthorized (HTTP 401) (Request-ID: ...)
Cinder:
ERROR: Unauthorized (HTTP 401)
Glance:
Request returned failure status.
Invalid OpenStack Identity credentials.
This bug is fixed in v1.1.0
I'm creating this issue because Ubuntu packages v1.0.0 so potentially many people are running into this problem but I didn't see a bug report for it. The solution is to use a newer version of keystonemiddleware.
[Test Case]
1. start the service with a username, password, and tenant
2. perform some API request, so the server (ie. nova) gets a token and caches it internally
3. restart memcache, purging the service's cached token
4. perform the API request again
[Regression Potential]
The fix provided is minimal and has very low regression potential.
Related branches
- Martin Pitt: Approve
-
Diff: 45 lines (+27/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/refresh-expired-admin-token.patch (+18/-0)
debian/patches/series (+1/-0)
Changed in keystonemiddleware: | |
milestone: | none → 1.1.0 |
description: | updated |
Changed in python-keystonemiddleware (Ubuntu): | |
status: | New → Invalid |
Changed in python-keystonemiddleware (Ubuntu): | |
status: | Invalid → Fix Released |
summary: |
- admin token is not properly refreshed if it expires in v1.0.0 + [SRU] admin token is not properly refreshed if it expires in v1.0.0 |
Changed in python-keystonemiddleware (Ubuntu Utopic): | |
importance: | Undecided → High |
description: | updated |
Changed in python-keystonemiddleware (Ubuntu Utopic): | |
status: | Confirmed → In Progress |
This has been corrected (but did not have a bug assigned) as of the 1.1.0 release of keystonemiddleware. If there are any deployers with this bug, it is recommended that you move to 1.1.0 or later of keystonemiddleware.
All deployers should be sure to use real user/passwords for the service users (e.g. Nova, etc).