[Yahoo-eng-team] [Bug 2026361] [NEW] API traceback when creating token with body from v2 api on the v3 endpoint

Fri, 07 Jul 2023 02:51:49 -0700 

Public bug reported:

When requesting a Keystone token, a user may make a mistake and use the api V2 
body on an api v3 endpoint.
This will result with a Traceback showing is user/password in the logs 

Keystone logs :


ERROR keystone.server.flask.application During handling of the above exception, 
another exception occurred:
ERROR keystone.server.flask.application 
ERROR keystone.server.flask.application Traceback (most recent call last):
ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1823, in 
full_dispatch_request
ERROR keystone.server.flask.application     rv = self.dispatch_request()
ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1799, in 
dispatch_request
ERROR keystone.server.flask.application     return 
self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 467, 
in wrapper
ERROR keystone.server.flask.application     resp = resource(*args, **kwargs)
ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask/views.py", line 107, in view
ERROR keystone.server.flask.application     return 
current_app.ensure_sync(self.dispatch_request)(**kwargs)
ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 582, 
in dispatch_request
ERROR keystone.server.flask.application     resp = meth(*args, **kwargs)
ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/server/flask/common.py", line 1064, in wrapper
ERROR keystone.server.flask.application     return f(*args, **kwargs)
ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/api/auth.py", line 314, in post
ERROR keystone.server.flask.application     
auth_schema.validate_issue_token_auth(auth_data)
ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/auth/schema.py", line 113, in 
validate_issue_token_auth
ERROR keystone.server.flask.application     
validation.lazy_validate(token_issue, auth)
ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/common/validation/__init__.py", line 30, in 
lazy_validate
ERROR keystone.server.flask.application     
schema_validator.validate(resource_to_validate)
ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/common/validation/validators.py", line 89, in 
validate
ERROR keystone.server.flask.application     raise 
exception.SchemaValidationError(detail=detail)
ERROR keystone.server.flask.application 
keystone.exception.SchemaValidationError: 'identity' is a required property


Jul 07 09:35:00 devstack devstack@keystone.service[60249]: ERROR 
keystone.server.flask.application On instance:
Jul 07 09:35:00 devstack devstack@keystone.service[60249]: ERROR 
keystone.server.flask.application     {'passwordCredentials': {'password': 
'password', 'username': 'admin'}}
Jul 07 09:35:00 devstack devstack@keystone.service[60249]: ERROR 
keystone.server.flask.application 
Jul 07 09:35:00 devstack devstack@keystone.service[60249]: [pid: 60249|app: 
0|req: 125/978] 57.128.26.217 () {58 vars in 979 bytes} [Fri Jul  7 09:35:00 
2023] POST /identity/v3/auth/tokens => generated 3467 bytes in 14 msecs 
(HTTP/1.1 400) 5 headers in 187 bytes (1 switches on core 0)


Steps to reproduce :

REQ: stack@devstack:~/devstack$ curl -i 
http://57.128.26.217/identity/v3/auth/tokens -X POST -H "Content-Type: 
application/json" -H "User-Agent: python-keystoneclient" 
-d'{"auth":{"passwordCredentials":{"username": "admin", "password": 
"password"}}}'
HTTP/1.1 400 BAD REQUEST
Date: Fri, 07 Jul 2023 09:35:00 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: application/json
Content-Length: 3467
Vary: X-Auth-Token
x-openstack-request-id: req-39da835d-6c25-4dfc-9fbc-8326311c44bf
Connection: close

{"error":{"code":400,"message":"'identity' is a required
property\n\nFailed validating 'required' in schema:\n    {'properties':
{'identity': {'properties': {'methods': {'items': {'type': 'string'},\n
'type': 'array'},\n
'password': {'properties': {'user': {'properties': {'domain':
{'properties': {'id': {'type': 'string'},\n
'name': {'type': 'string'}},\n
'type': 'object'},\n
'id': {'type': 'string'},\n
'name': {'type': 'string'},\n
'password': {'type': 'string'}},\n
'type': 'object'}},\n
'type': 'object'},\n
'token': {'properties': {'id': {'type': 'string'}},\n
'required': ['id'],\n
'type': 'object'}},\n                                 'required':
['methods'],\n                                 'type': 'object'},\n
'scope': {'properties': {'OS-TRUST:trust': {'properties': {'id':
{'type': 'string'}},\n
'type': 'object'},\n
'domain': {'properties': {'id': {'type': 'string'},\n
'name': {'type': 'string'}},\n
'type': 'object'},\n
'project': {'properties': {'domain': {'properties': {'id': {'type':
'string'},\n
'name': {'type': 'string'}},\n
'type': 'object'},\n
'id': {'type': 'string'},\n
'name': {'type': 'string'}},\n
'type': 'object'},\n
'system': {'properties': {'all': {'enum': [True,\n
False,\n
None],\n
'type': 'boolean'}},\n
'type': 'object'}},\n                              'type': ['object',
'string']}},\n     'required': ['identity'],\n     'type':
'object'}\n\nOn instance:\n    {'passwordCredentials': {'password':
'password', 'username': 'admin'}}","title":"Bad Request"}}


Tested on Devstack Env : 
- OS Version: Ubuntu 22.04 jammy
- Keystone : origin/master ( b80e1df2ef1735d91a1483e1ec64d4048c5b3145 )

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2026361

Title:
  API traceback when creating token with body from v2 api on the v3
  endpoint

Status in OpenStack Identity (keystone):
  New

Bug description:
  When requesting a Keystone token, a user may make a mistake and use the api 
V2 body on an api v3 endpoint.
  This will result with a Traceback showing is user/password in the logs 

  Keystone logs :

  
  ERROR keystone.server.flask.application During handling of the above 
exception, another exception occurred:
  ERROR keystone.server.flask.application 
  ERROR keystone.server.flask.application Traceback (most recent call last):
  ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1823, in 
full_dispatch_request
  ERROR keystone.server.flask.application     rv = self.dispatch_request()
  ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1799, in 
dispatch_request
  ERROR keystone.server.flask.application     return 
self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 467, 
in wrapper
  ERROR keystone.server.flask.application     resp = resource(*args, **kwargs)
  ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask/views.py", line 107, in view
  ERROR keystone.server.flask.application     return 
current_app.ensure_sync(self.dispatch_request)(**kwargs)
  ERROR keystone.server.flask.application   File 
"/usr/local/lib/python3.10/dist-packages/flask_restful/__init__.py", line 582, 
in dispatch_request
  ERROR keystone.server.flask.application     resp = meth(*args, **kwargs)
  ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/server/flask/common.py", line 1064, in wrapper
  ERROR keystone.server.flask.application     return f(*args, **kwargs)
  ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/api/auth.py", line 314, in post
  ERROR keystone.server.flask.application     
auth_schema.validate_issue_token_auth(auth_data)
  ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/auth/schema.py", line 113, in 
validate_issue_token_auth
  ERROR keystone.server.flask.application     
validation.lazy_validate(token_issue, auth)
  ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/common/validation/__init__.py", line 30, in 
lazy_validate
  ERROR keystone.server.flask.application     
schema_validator.validate(resource_to_validate)
  ERROR keystone.server.flask.application   File 
"/opt/stack/keystone/keystone/common/validation/validators.py", line 89, in 
validate
  ERROR keystone.server.flask.application     raise 
exception.SchemaValidationError(detail=detail)
  ERROR keystone.server.flask.application 
keystone.exception.SchemaValidationError: 'identity' is a required property

  
  Jul 07 09:35:00 devstack devstack@keystone.service[60249]: ERROR 
keystone.server.flask.application On instance:
  Jul 07 09:35:00 devstack devstack@keystone.service[60249]: ERROR 
keystone.server.flask.application     {'passwordCredentials': {'password': 
'password', 'username': 'admin'}}
  Jul 07 09:35:00 devstack devstack@keystone.service[60249]: ERROR 
keystone.server.flask.application 
  Jul 07 09:35:00 devstack devstack@keystone.service[60249]: [pid: 60249|app: 
0|req: 125/978] 57.128.26.217 () {58 vars in 979 bytes} [Fri Jul  7 09:35:00 
2023] POST /identity/v3/auth/tokens => generated 3467 bytes in 14 msecs 
(HTTP/1.1 400) 5 headers in 187 bytes (1 switches on core 0)


  Steps to reproduce :

  REQ: stack@devstack:~/devstack$ curl -i 
http://57.128.26.217/identity/v3/auth/tokens -X POST -H "Content-Type: 
application/json" -H "User-Agent: python-keystoneclient" 
-d'{"auth":{"passwordCredentials":{"username": "admin", "password": 
"password"}}}'
  HTTP/1.1 400 BAD REQUEST
  Date: Fri, 07 Jul 2023 09:35:00 GMT
  Server: Apache/2.4.52 (Ubuntu)
  Content-Type: application/json
  Content-Length: 3467
  Vary: X-Auth-Token
  x-openstack-request-id: req-39da835d-6c25-4dfc-9fbc-8326311c44bf
  Connection: close

  {"error":{"code":400,"message":"'identity' is a required
  property\n\nFailed validating 'required' in schema:\n
  {'properties': {'identity': {'properties': {'methods': {'items':
  {'type': 'string'},\n
  'type': 'array'},\n
  'password': {'properties': {'user': {'properties': {'domain':
  {'properties': {'id': {'type': 'string'},\n
  'name': {'type': 'string'}},\n
  'type': 'object'},\n
  'id': {'type': 'string'},\n
  'name': {'type': 'string'},\n
  'password': {'type': 'string'}},\n
  'type': 'object'}},\n
  'type': 'object'},\n
  'token': {'properties': {'id': {'type': 'string'}},\n
  'required': ['id'],\n
  'type': 'object'}},\n                                 'required':
  ['methods'],\n                                 'type': 'object'},\n
  'scope': {'properties': {'OS-TRUST:trust': {'properties': {'id':
  {'type': 'string'}},\n
  'type': 'object'},\n
  'domain': {'properties': {'id': {'type': 'string'},\n
  'name': {'type': 'string'}},\n
  'type': 'object'},\n
  'project': {'properties': {'domain': {'properties': {'id': {'type':
  'string'},\n
  'name': {'type': 'string'}},\n
  'type': 'object'},\n
  'id': {'type': 'string'},\n
  'name': {'type': 'string'}},\n
  'type': 'object'},\n
  'system': {'properties': {'all': {'enum': [True,\n
  False,\n
  None],\n
  'type': 'boolean'}},\n
  'type': 'object'}},\n                              'type': ['object',
  'string']}},\n     'required': ['identity'],\n     'type':
  'object'}\n\nOn instance:\n    {'passwordCredentials': {'password':
  'password', 'username': 'admin'}}","title":"Bad Request"}}

  
  Tested on Devstack Env : 
  - OS Version: Ubuntu 22.04 jammy
  - Keystone : origin/master ( b80e1df2ef1735d91a1483e1ec64d4048c5b3145 )

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2026361/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to