** No longer affects: keystone -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1690203
Title: keystoneauth1 v3 Token object ignores the token passed in Status in keystoneauth: In Progress Bug description: The primary problem reported in the defect is that when a keystoneauth1 identity Token is set in the session and a REST call is made, the session does not use the same token for making the call. auth = identity.v3.Token(auth_url, token) s = session.Session(auth=auth, verify=False) resp = s.get('http://localhost:9292/v2/images', headers={'Accept': 'application/json'} Even though the token has been explicitly as part of the v3.Token object , the token that is set is not user to make the REST call. Instead a new unscoped token is generated. This new unscoped token which is generated doesn't have roles, project and catalog information as seen below {"token": {"issued_at": "2017-05-11T12:07:13.000000Z", "audit_ids": ["_0-Hir4UTS-ATQmbiOP0Wg", "Zh4SNR-jREugwuoxGXL4wg"], "user": {"id": "0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9", "domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "root"}, "expires_at": "2017-05-11T18:05:50.000000Z", "methods": ["token", "password"]}} The flow here is : 1. Using the keystoneauth1 session object a post call is made with the auth v3.Token object set. 2. When we make a session call, control comes here >> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/session.py#L491 >> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/session.py#L818 >> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/plugin.py#L90 The keystoneauth1.identity.v3.Token object does not have an implementation for get_token so the control finally falls back on the keystoneauth1 identity base implementation which is probably not even applicable for keystone v3. >> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/base.py#L90 >> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/base.py#L135 >> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/base.py#L92 The above check for re-authenticate always returns True as it does not consider the token that has been passed into the v3.Token object and in all cases goes on to create a new token, which is subsequently used to make the REST call, which happens here>> https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/v3/base.py#L112 https://github.com/openstack/keystoneauth/blob/stable/ocata/keystoneauth1/identity/v3/base.py#L166 3. To resolve the above problem I overrided the get_token method inside v3.Token to return the token that was passed in instead of a re-authentication and everything worked fine..Of course this is more of a hack to check if this helped fix this problem. The below doesn't have logic to check if the token was going to expire and if re- authentication was required etc. class Token(base.AuthConstructor): _auth_method_class = TokenMethod token_new = None def __init__(self, auth_url, token, **kwargs): super(Token, self).__init__(auth_url, token=token, **kwargs) self.token_new = token def get_token(self, session, **kwargs): return self.token_new To manage notifications about this bug go to: https://bugs.launchpad.net/keystoneauth/+bug/1690203/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp