Public bug reported:
Use CURL to get an admin token and use it to perform list domains will
result in a failure.
Get an unscoped token:
$ cat token-request-admin.json
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "Default"
},
"name": "admin",
"password": "FreeIPA4All"
}
}
},
"scope": {
"project": {
"domain": {
"name": "Default"
},
"name": "demo"
}
}
}
}
-sh-4.2$ export TOKEN=`curl -si -d @token-request-admin.json -H "Content-type:
application/json" http://localhost:35357/v3/auth/tokens | awk
'/X-Subject-Token/ {print $2}'`-sh-4.2$ echo $TOKEN
PKIZ_eJy9Wltz2kq3fJ9fcd537YoukISH70EgIUQ8owgLiZk3JDm6ji8fNkL69acHcLYhTgLZp46rXBhjadZa06u718h__42vseN67H8m9Fa9-ZtQz-PfLD7_8iC8YpsyK0gnD_hdEk4mrltPrMDZTUJrNs6X_7VzOnGryWT67LmT2yf31ktMYgfOzFrjlxvq5MX6w1031xLjuUlK76M325RJHGlrd1SnHd5PN2XqTvvUzLapDMrVbZsT736-Tdyo96qHPDY35ToOSr-0SmrMpXB5y6txzftcZ_YUr_XAj6eFqOaVHwc7P1zqRMS8vJlYZSKnz-IWq0zmDyKeaiuTaTxm_10ZIzORUefdaxsV0esCvp32wnVMIuzlgLqLmtm892NvKCpRU9vZYdWdCKeShen5AoVw9ceknI8OKchokLpNJ1bsG18dw6-sHZtorT_RdnQatLR66PHdstuBznpnSO1s7ZVt7t2PO5IYjw031YXjT55cbJN4-vhawNdwhRtJvoo22cTbIIIXHuuNqplXLxoi5FRPZkH5DeF4sqn3H1RUp8aiYXEw9GPa-_ZCsmpc0CormBsMREV7FgY9j5c7sg9FDoskXr6u9px085HKmxtTFHK3FfstfEaE0YuYjbfreKilx99hG6MumRyqn80WrV9-3tKw7m4qx_Angx2q_ULD9CNeTdqNerGaG-uYNWk3shN3hG085NWJOHtMjME-iqWM7tfx6CU0hs0hwuYlc6MO6VbHnWizeL5Zx7QkKtTXYjGJvF1Hp2HTHH4WDatqE-CpARzdt62dsMeSht6-ZkCtTlLZ7i9ezxZaaj9sb9Q2lYMdq3KEnptIxfSr3GQ93aZG1GWyqcSKboN48byOB4cI0mPI-x1o5o0wmm1Sj14QrkrvMblfNKkUBTcOhebHi9W15Ptehw6wDezLwOAx75ktCiE9vBalH2YNYGtghwrWB9_DV9GTPwrf2G0zLLyP4NrwFQawlUBje57Ct
GDhuGSVN6D2uGC2Y1K7KERIh6wKhtRlktlpRw2kEGnq5trdatyQ_coyqmh5WFHsQeVhu0RBDa5Tmxsi9jQmnc53gyHrl70fiho_7xheCSvPGmR_MwXl8bvQPUcu-RV0WTky6O1nNA6rRRjVftigjXJNVNit0DN5uKiJ7_Ke9kuNGtOG3l4Pa_IW129hTeWioiGrqEuRu9Mx2xrSqmhEVQ95DFYKPQPY6UFpzgkwLsMF32aVs0XkuIG71IWNu_Z0wFxuULWa4WjCLiTtKdiYYTWn_BnkyTWg-YfiVPi54duOQXjFNdBUhwqXPHRaVqVDIZkUttci_9-mR36V3yXpkV_ld0lLnzCSqKKSS96r1mZ2A7EB-0rPVMARknZICWyl0uTf-4Gohtivei-2ySx6fl3x2BMdQ7FYj2_DG4jQ0kS4HGIRNNUCzQdtpHKJPxLVjz3BHhPwYvqbviCXULoqKDQSxfVe6BmLkwtp_CioJ-lpPBxLQsOlgRSkj_w4quzviSXYCVdAZHMAJh2wyTGNd0SIvBcyC62WTtDK5aA9qPBxW8v9xbeH8IdfE7l83cY9ZCUMxXFHxjqXu0fevQ153nBFNlVT-LanC5cihXlD_Ji3LCxqoKxnfQQKTwe0-3nI5xGTa0M-j_hIqoeqw8Zsjrtw8AkSCIxF44NgVbigMPgEAAjIhIaaYHJlMKKCIy_vXs_U3bNZ0x637hFKhBs32t0pOsHUTYVWhujSAaHuUlN35FUGR4JGBmwpHIqADohzSyOfm7sVg48EXo6uDTZvWKfuSHXbd6-YreabwwWFls2sjzfdZ-gmUBjyAQo4YB1orn8YsD7VyI3J-2sL97Zu5IfCVdjfyjOpnMOZco1WC0ldPvBd9IMLlMZLoJNqYOxSpUFUHteEfB4xuTzkaZ3EzctZtDBZIYTTWJowEOC_RcV6dF4FYMUBEJo1tMfnvfhe9fNoyTXh_ttmgmfgJjccOFcOngR-0FwEnqgDx-
2gd9A9GOswavzbgxP37hfD1D2ysDF6TmcRFjpGdawDekHUDMosKlh9u2ioHWgwVmjZAKt5ndJuXs1LDlo7t8WJHEGZ1B2PBfoTVJI3RTNQtO6mv9ypq4jI9RA-xcOBD6pgR1FRP56jG5s9qdIepIpIqL0c-m6kIuqopNo5HsgF8P1lauRnuV2aGvk1eDyYzBTYwKq2MhXoTggsj6cV7wsoNSsRQYo_ynV-ezkTv7WBhJa_9oG_s4HkAl08mgsgcHImNAaThMVT6ceQeOlogPEAbKvzyuqUuUbumGoxyXY_9kYmR5sMZEsg2eXp3ATqgi_BnqAfeIe5qfZtZTJEwyu626MSo7J_tEbkzUxcYWtqNdb935ntvdz9P5jt99zHUIDOMVwMOOZFWDsNxe15mA-FO5eQQ3yGgcN1NMLLPwDQm9TInwLoNTVyyXz8dptBbUPIwEAoIxrSlqATDWrn8MV0xyunhZzBqeYDZgQXzRHk1GgHygtebLSVz_6j2fntHHFqtl2-ozFWCjPQGeYIO4dSFxW1Uw2q3MHSVHDpDe_Td8y2ZNtkNdYzd3naG32x50pe5bhBrobyBsNXzWOvhcMzoUxzeKR8SKV3fl70kpii-J1mkAt8AfBAfyqy5HpPgHkBn4MTSyWJRJEIVVO7jZnEBsvE1KTwhOh342ee4G2k5NJQ_9CpAlBVVgnMTojUAMUZ6JOCKucaTwsolUFgFHRsj3lJuO9Fe724ngkQeaVoZkOF3HlD4VRYDB_YY4qxnZbaNawwGLtftr4Nnzg5Zej9zJT2py0Ld6JOKxFkUQgJZrItyFoD5sLMaIiSVcudsC1wh3XohTfo678PGxcw8k9nJt8-DiAXkCy5cMQDF2AUAOnsO9ZWNbJMH7YAdt_rIW0YoBQH0qG4kmTJNeG-J7zkfeX1sNfBjqPyPoyn8kYC4gtthM1XcxQsf7wA6dAdYVcbi9OIyZ8ehb7ihhwO4nJDnRX5IcQlzFBtBkQ
CNHZWsdCD2AfgySU-804O4o42j20SM6qFHHVJPNX27HxCIPAGmOzQdHBwDka-wGQVdksdpdsZTJaBldw55sBxc26m125UZBO9EnLwKjJNIhdtYiC1GVWn4Qm54gQLjRX8cMJD_vQE61V4yHvKg8GiTNymOq0FuLMP1LTSqhN-Fi4aEYMTMeYCwpYuqrz3Xdr6YT28hp2IMtTUttSAtbt2VlBsRv7NrHCcmVKD2bXB0JU09HZgXmgecjSQs_JHvTXc59wH7-oE-dWscElq5N_MChcIC1Jy0QuhaJihzhiDnYjVdjoD9M2QxbwDlAODhan2zhHINpXsQayYlsp3ekTSFvwwUAeSBoxCxzC1onDwROpIcIkP4ZlgKrmMivd75MAj5FL6fpdcQm9Ijmfq13Lhd-Ymbw_k0QtDeEUdcDYomBqqVMO5dqKKJFVp9l6LQb19ezh30XmiCvVnkZJrOXDv3CoPPsHCzWB1eZh28IPoSFQdwMAI3IATlYDqzPCuPVeuQazeVcfE5HfH4EzC0qjTzR4EAhKFPmL4qHdg65b2XCPqEQA30HXS-YGyUZNnHmfNKQIDGI5FJdxAZ2Gug1CCIbZswCUGq0qprwN-VKQ5L394EmjsikSCG46wFyu0M3C-t6535n51XT1P2r_v5nVi6IU6_j48zHyNAKkcn1Gez42OiEWRxbvDIcM_Iy56QzF0ig7k-_Ml5egBOOxciqErjNSJzUA9yWPd-fnhkcKON8S4pUOVT57NkpOHs-HZw9l-vka-I8q9cR5OJtZKU0_C25U9XtFg004CbpMoCOC95tGyd3xqta6lL52J1U6jeNiLVbCzK4uOcxaNrZSOo-gFNdJoMGhti9u49guxrShK7lmT2Q6nY76_gdW2XzMzM29khMFTbxN3-aJOsqzcGVMrdce3G99qvTW1NJe8PoS3A2dsBUtr7Hlj68tsuKSP34y01bRb52ZR3JW5cZPkT3fR8871k8H9aJazPPf-
YmSDgebjt8-Txpw_fWweh5sb_d4LiqfJk_H08LRsfJnxu8w2W8u57Tdlf2O1mlfYi7mApfXkmNw7o9FdEn7S9O5ZluvGX_vRdnNXZ479wJr0r_rGvM9XyUP6afXp220c8S-beLv5Nh820YPrfv5APr_8lWsvvfkxHqyf3fBBFgbrVvfN3br4_NXQXfPRK26ah2L-ceanw0D_-Nlf3_ibm9nyORiX4zuSc5F7pqw_hRb3afCtcMxqNPHr1eOH1PbCeCDks-vo2V_PjzJ7-Tqb3mnh0_Iz_TQzWPChqskHf2Hf3saJ-bJOvu6m4ZcyHGqDZJ58eJrsnnotv9lmszbLdxX_D9n_04TD7H_-geJ_AcEXH5I=
curl -v -si -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json"
http://localhost:35357/v3/domains
(debugging removed)
* Connection #0 to host localhost left intact
{"error": {"message": "The request you have made requires authentication.
(Disable debug mode to suppress these details.)", "code": 401, "title":
"Unauthorized"}}
Put a debugging breakpoint
--- a/keystone/middleware/core.py
+++ b/keystone/middleware/core.py
@@ -253,6 +253,8 @@ class AuthContextMiddleware(wsgi.Middleware):
context['environment'] = request.environ
try:
+ from remote_pdb import RemotePdb
+ RemotePdb('0.0.0.0', 4444).set_trace()
token_ref = self.token_api.get_token(token_id)
# TODO(ayoung): These two functions return the token in different
# formats instead of two calls, only make one. However, the call
Shows that the unique Id calculated inside self.token_api.get_token does not
match what the token table has in it.
Its using the SQL provider, and that delegates to the new persistance API,
which in turn gets the unique ID from the token_provider. Note that this
should be calling the token_provider directly.
** Affects: keystone
Importance: Critical
Assignee: Morgan Fainberg (mdrnstm)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Morgan Fainberg (mdrnstm)
** Changed in: keystone
Importance: Undecided => Critical
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1354765
Title:
Valid V3 tokens reported as invalid
Status in OpenStack Identity (Keystone):
New
Bug description:
Use CURL to get an admin token and use it to perform list domains will
result in a failure.
Get an unscoped token:
$ cat token-request-admin.json
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "Default"
},
"name": "admin",
"password": "FreeIPA4All"
}
}
},
"scope": {
"project": {
"domain": {
"name": "Default"
},
"name": "demo"
}
}
}
}
-sh-4.2$ export TOKEN=`curl -si -d @token-request-admin.json -H
"Content-type: application/json" http://localhost:35357/v3/auth/tokens | awk
'/X-Subject-Token/ {print $2}'`-sh-4.2$ echo $TOKEN
PKIZ_eJy9Wltz2kq3fJ9fcd537YoukISH70EgIUQ8owgLiZk3JDm6ji8fNkL69acHcLYhTgLZp46rXBhjadZa06u718h__42vseN67H8m9Fa9-ZtQz-PfLD7_8iC8YpsyK0gnD_hdEk4mrltPrMDZTUJrNs6X_7VzOnGryWT67LmT2yf31ktMYgfOzFrjlxvq5MX6w1031xLjuUlK76M325RJHGlrd1SnHd5PN2XqTvvUzLapDMrVbZsT736-Tdyo96qHPDY35ToOSr-0SmrMpXB5y6txzftcZ_YUr_XAj6eFqOaVHwc7P1zqRMS8vJlYZSKnz-IWq0zmDyKeaiuTaTxm_10ZIzORUefdaxsV0esCvp32wnVMIuzlgLqLmtm892NvKCpRU9vZYdWdCKeShen5AoVw9ceknI8OKchokLpNJ1bsG18dw6-sHZtorT_RdnQatLR66PHdstuBznpnSO1s7ZVt7t2PO5IYjw031YXjT55cbJN4-vhawNdwhRtJvoo22cTbIIIXHuuNqplXLxoi5FRPZkH5DeF4sqn3H1RUp8aiYXEw9GPa-_ZCsmpc0CormBsMREV7FgY9j5c7sg9FDoskXr6u9px085HKmxtTFHK3FfstfEaE0YuYjbfreKilx99hG6MumRyqn80WrV9-3tKw7m4qx_Angx2q_ULD9CNeTdqNerGaG-uYNWk3shN3hG085NWJOHtMjME-iqWM7tfx6CU0hs0hwuYlc6MO6VbHnWizeL5Zx7QkKtTXYjGJvF1Hp2HTHH4WDatqE-CpARzdt62dsMeSht6-ZkCtTlLZ7i9ezxZaaj9sb9Q2lYMdq3KEnptIxfSr3GQ93aZG1GWyqcSKboN48byOB4cI0mPI-x1o5o0wmm1Sj14QrkrvMblfNKkUBTcOhebHi9W15Ptehw6wDezLwOAx75ktCiE9vBalH2YNYGtghwrWB9_DV9GTPwrf2G0zLLyP4NrwFQawlUBje57
CtGDhuGSVN6D2uGC2Y1K7KERIh6wKhtRlktlpRw2kEGnq5trdatyQ_coyqmh5WFHsQeVhu0RBDa5Tmxsi9jQmnc53gyHrl70fiho_7xheCSvPGmR_MwXl8bvQPUcu-RV0WTky6O1nNA6rRRjVftigjXJNVNit0DN5uKiJ7_Ke9kuNGtOG3l4Pa_IW129hTeWioiGrqEuRu9Mx2xrSqmhEVQ95DFYKPQPY6UFpzgkwLsMF32aVs0XkuIG71IWNu_Z0wFxuULWa4WjCLiTtKdiYYTWn_BnkyTWg-YfiVPi54duOQXjFNdBUhwqXPHRaVqVDIZkUttci_9-mR36V3yXpkV_ld0lLnzCSqKKSS96r1mZ2A7EB-0rPVMARknZICWyl0uTf-4Gohtivei-2ySx6fl3x2BMdQ7FYj2_DG4jQ0kS4HGIRNNUCzQdtpHKJPxLVjz3BHhPwYvqbviCXULoqKDQSxfVe6BmLkwtp_CioJ-lpPBxLQsOlgRSkj_w4quzviSXYCVdAZHMAJh2wyTGNd0SIvBcyC62WTtDK5aA9qPBxW8v9xbeH8IdfE7l83cY9ZCUMxXFHxjqXu0fevQ153nBFNlVT-LanC5cihXlD_Ji3LCxqoKxnfQQKTwe0-3nI5xGTa0M-j_hIqoeqw8Zsjrtw8AkSCIxF44NgVbigMPgEAAjIhIaaYHJlMKKCIy_vXs_U3bNZ0x637hFKhBs32t0pOsHUTYVWhujSAaHuUlN35FUGR4JGBmwpHIqADohzSyOfm7sVg48EXo6uDTZvWKfuSHXbd6-YreabwwWFls2sjzfdZ-gmUBjyAQo4YB1orn8YsD7VyI3J-2sL97Zu5IfCVdjfyjOpnMOZco1WC0ldPvBd9IMLlMZLoJNqYOxSpUFUHteEfB4xuTzkaZ3EzctZtDBZIYTTWJowEOC_RcV6dF4FYMUBEJo1tMfnvfhe9fNoyTXh_ttmgmfgJjccOFcOngR-0FwEnqgD
x-2gd9A9GOswavzbgxP37hfD1D2ysDF6TmcRFjpGdawDekHUDMosKlh9u2ioHWgwVmjZAKt5ndJuXs1LDlo7t8WJHEGZ1B2PBfoTVJI3RTNQtO6mv9ypq4jI9RA-xcOBD6pgR1FRP56jG5s9qdIepIpIqL0c-m6kIuqopNo5HsgF8P1lauRnuV2aGvk1eDyYzBTYwKq2MhXoTggsj6cV7wsoNSsRQYo_ynV-ezkTv7WBhJa_9oG_s4HkAl08mgsgcHImNAaThMVT6ceQeOlogPEAbKvzyuqUuUbumGoxyXY_9kYmR5sMZEsg2eXp3ATqgi_BnqAfeIe5qfZtZTJEwyu626MSo7J_tEbkzUxcYWtqNdb935ntvdz9P5jt99zHUIDOMVwMOOZFWDsNxe15mA-FO5eQQ3yGgcN1NMLLPwDQm9TInwLoNTVyyXz8dptBbUPIwEAoIxrSlqATDWrn8MV0xyunhZzBqeYDZgQXzRHk1GgHygtebLSVz_6j2fntHHFqtl2-ozFWCjPQGeYIO4dSFxW1Uw2q3MHSVHDpDe_Td8y2ZNtkNdYzd3naG32x50pe5bhBrobyBsNXzWOvhcMzoUxzeKR8SKV3fl70kpii-J1mkAt8AfBAfyqy5HpPgHkBn4MTSyWJRJEIVVO7jZnEBsvE1KTwhOh342ee4G2k5NJQ_9CpAlBVVgnMTojUAMUZ6JOCKucaTwsolUFgFHRsj3lJuO9Fe724ngkQeaVoZkOF3HlD4VRYDB_YY4qxnZbaNawwGLtftr4Nnzg5Zej9zJT2py0Ld6JOKxFkUQgJZrItyFoD5sLMaIiSVcudsC1wh3XohTfo678PGxcw8k9nJt8-DiAXkCy5cMQDF2AUAOnsO9ZWNbJMH7YAdt_rIW0YoBQH0qG4kmTJNeG-J7zkfeX1sNfBjqPyPoyn8kYC4gtthM1XcxQsf7wA6dAdYVcbi9OIyZ8ehb7ihhwO4nJDnRX5IcQlzFBtB
kQCNHZWsdCD2AfgySU-804O4o42j20SM6qFHHVJPNX27HxCIPAGmOzQdHBwDka-wGQVdksdpdsZTJaBldw55sBxc26m125UZBO9EnLwKjJNIhdtYiC1GVWn4Qm54gQLjRX8cMJD_vQE61V4yHvKg8GiTNymOq0FuLMP1LTSqhN-Fi4aEYMTMeYCwpYuqrz3Xdr6YT28hp2IMtTUttSAtbt2VlBsRv7NrHCcmVKD2bXB0JU09HZgXmgecjSQs_JHvTXc59wH7-oE-dWscElq5N_MChcIC1Jy0QuhaJihzhiDnYjVdjoD9M2QxbwDlAODhan2zhHINpXsQayYlsp3ekTSFvwwUAeSBoxCxzC1onDwROpIcIkP4ZlgKrmMivd75MAj5FL6fpdcQm9Ijmfq13Lhd-Ymbw_k0QtDeEUdcDYomBqqVMO5dqKKJFVp9l6LQb19ezh30XmiCvVnkZJrOXDv3CoPPsHCzWB1eZh28IPoSFQdwMAI3IATlYDqzPCuPVeuQazeVcfE5HfH4EzC0qjTzR4EAhKFPmL4qHdg65b2XCPqEQA30HXS-YGyUZNnHmfNKQIDGI5FJdxAZ2Gug1CCIbZswCUGq0qprwN-VKQ5L394EmjsikSCG46wFyu0M3C-t6535n51XT1P2r_v5nVi6IU6_j48zHyNAKkcn1Gez42OiEWRxbvDIcM_Iy56QzF0ig7k-_Ml5egBOOxciqErjNSJzUA9yWPd-fnhkcKON8S4pUOVT57NkpOHs-HZw9l-vka-I8q9cR5OJtZKU0_C25U9XtFg004CbpMoCOC95tGyd3xqta6lL52J1U6jeNiLVbCzK4uOcxaNrZSOo-gFNdJoMGhti9u49guxrShK7lmT2Q6nY76_gdW2XzMzM29khMFTbxN3-aJOsqzcGVMrdce3G99qvTW1NJe8PoS3A2dsBUtr7Hlj68tsuKSP34y01bRb52ZR3JW5cZPkT3fR8871k8H9aJazPP
f-YmSDgebjt8-Txpw_fWweh5sb_d4LiqfJk_H08LRsfJnxu8w2W8u57Tdlf2O1mlfYi7mApfXkmNw7o9FdEn7S9O5ZluvGX_vRdnNXZ479wJr0r_rGvM9XyUP6afXp220c8S-beLv5Nh820YPrfv5APr_8lWsvvfkxHqyf3fBBFgbrVvfN3br4_NXQXfPRK26ah2L-ceanw0D_-Nlf3_ibm9nyORiX4zuSc5F7pqw_hRb3afCtcMxqNPHr1eOH1PbCeCDks-vo2V_PjzJ7-Tqb3mnh0_Iz_TQzWPChqskHf2Hf3saJ-bJOvu6m4ZcyHGqDZJ58eJrsnnotv9lmszbLdxX_D9n_04TD7H_-geJ_AcEXH5I=
curl -v -si -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json"
http://localhost:35357/v3/domains
(debugging removed)
* Connection #0 to host localhost left intact
{"error": {"message": "The request you have made requires authentication.
(Disable debug mode to suppress these details.)", "code": 401, "title":
"Unauthorized"}}
Put a debugging breakpoint
--- a/keystone/middleware/core.py
+++ b/keystone/middleware/core.py
@@ -253,6 +253,8 @@ class AuthContextMiddleware(wsgi.Middleware):
context['environment'] = request.environ
try:
+ from remote_pdb import RemotePdb
+ RemotePdb('0.0.0.0', 4444).set_trace()
token_ref = self.token_api.get_token(token_id)
# TODO(ayoung): These two functions return the token in different
# formats instead of two calls, only make one. However, the call
Shows that the unique Id calculated inside self.token_api.get_token does
not match what the token table has in it.
Its using the SQL provider, and that delegates to the new persistance API,
which in turn gets the unique ID from the token_provider. Note that this
should be calling the token_provider directly.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1354765/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
