Reviewed: https://review.openstack.org/344496
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=e420b16c22288c0a8cb9b1337e56f04ca1ef8737
Submitter: Jenkins
Branch: master
commit e420b16c22288c0a8cb9b1337e56f04ca1ef8737
Author: Colleen Murphy <coll...@gazlene.net>
Date: Tue Jul 19 15:41:24 2016 -0700
Skip middleware request processing for admin token
In be558717 the request handling was refactored and more of the token
handling was left to keystonemiddleware. However, when using the
deprecated admin_token, the token needs to be handled differently.
Specifically, there may be no 'token' or 'access' key in the body of
the request, which keystoneauth expects to have keystonemiddleware pass
to it[1][2]. Luckily the admin_token doesn't need a lot of special
processing, so we can just skip that step and move on to fill_context.
[1]
http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n399
[2]
http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/access/access.py#n41
Closes-bug: #1603038
Change-Id: Iac4a5769072925fe2f36768c8f31816e6866f2f6
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1603038
Title:
Execption on admin_token usage ValueError: Unrecognized
Status in OpenStack Identity (keystone):
Fix Released
Status in keystonemiddleware:
Invalid
Bug description:
1. iniset keystone.conf DEFAULT admin_token deprecated
2. reload keystone (systemctl restart httpd)
3. curl -g -i -X GET http://192.168.9.98/identity_v2_admin/v2.0/users -H
"User-Agent: python-keystoneclient" -H "Accept: application/json" -H
"X-Auth-Token: deprecated"
I know the admin_token is deprecated, but is should be handled without
throwing an extra exception.
2016-07-14 11:00:28.487 20453 WARNING keystone.middleware.core
[req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] The admin_token_auth
middleware presents a security risk and should be removed from the
[pipeline:api_v3], [pipeline:admin_api], and [pipeline:public_api] sections of
your paste ini file.
2016-07-14 11:00:28.593 20453 DEBUG keystone.middleware.auth
[req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Authenticating user token
process_request
/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py:354
2016-07-14 11:00:28.593 20453 WARNING keystone.middleware.auth
[req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Invalid token contents.
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth Traceback (most
recent call last):
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth File
"/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py",
line 399, in _do_fetch_token
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth return data,
access.create(body=data, auth_token=token)
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth File
"/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth return
wrapped(*args, **kwargs)
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth File
"/usr/lib/python2.7/site-packages/keystoneauth1/access/access.py", line 49, in
create
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth raise
ValueError('Unrecognized auth response')
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth ValueError:
Unrecognized auth response
2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth
2016-07-14 11:00:28.594 20453 INFO keystone.middleware.auth
[req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Invalid user token
2016-07-14 11:00:28.595 20453 DEBUG keystone.middleware.auth
[req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] RBAC: auth_context: {}
fill_context /opt/stack/keystone/keystone/middleware/auth.py:219
2016-07-14 11:00:28.604 20453 INFO keystone.common.wsgi
[req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] GET
http://192.168.9.98/identity_v2_admin/v2.0/users
2016-07-14 11:00:28.604 20453 WARNING oslo_log.versionutils
[req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] Deprecated: get_users of
the v2 API is deprecated as of Mitaka in favor of a similar function in the v3
API and may be removed in Q.
2016-07-14 11:00:28.622 20453 DEBUG oslo_db.sqlalchemy.engines
[req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] MySQL server mode set to
STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
_check_effective_sql_mode
/usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/engines.py:256
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1603038/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
