glance will return 401 error if the request token contains url code
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance Client |
Fix Released
|
High
|
wangxiyuan |
Bug Description
Now glanceclient will encode the request headers before sending the request to server to handle RFC8187. https:/
The request header contains the token info from Keystone. Then it'll lead a case that if a token contains some url code, like "+", glanceclient will change it to '%2B' first.
Then the server side can't valid the changed token, then raise 401 error.
The upstream CI doesn't notice this bug because Keystone use fernet token which doesn't contain url char by default. But token format in keystone is plugable, some out-tree token formats may contain url char (for example, PKI/PKIZ token).
We find this bug when testing some OpenStack Public Clouds. These Public Clouds still use PKI/PKIZ token. After we upgrade our glanceclient to a higher version, this bug occured.
So a solution here is to skip encode token header in glanceclient.
Another solution may be to decode the headers in Glance or keystoenmiddleware. But it's not the best way IMO. Because we can't let these Public Cloud upgrade or backport the fix at once. And on the other hand, I assume community should ensure that a higher client can work well with a lower server.
description: | updated |
Changed in python-glanceclient: | |
status: | Triaged → In Progress |
Changed in python-glanceclient: | |
milestone: | 2.12.0 → 2.12.1 |
https:/ /review. openstack. org/#/c/ 583468/