yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1354765] Re: Valid V3 tokens reported as invalid

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Sep 2014 14:33:43 -0000
Reply-to: Bug 1354765 <1354765@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => juno-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1354765

Title:
  Valid V3 tokens reported as invalid

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  Use CURL to get an admin token and use it to perform list domains will
  result in a failure.

  Get a scoped token:

  $ cat token-request-admin.json
  {
      "auth": {
          "identity": {
              "methods": [
                  "password"
              ],
              "password": {
                  "user": {
                      "domain": {
                          "name": "Default"
                      },
                      "name": "admin",
                      "password": "FreeIPA4All"
                  }
              }
          },
          "scope": {
              "project": {
                  "domain": {
                      "name": "Default"
                  },
                  "name": "demo"
              }
          }
      }
  }

  -sh-4.2$ export TOKEN=`curl -si -d @token-request-admin.json -H "Content-type: application/json" http://localhost:35357/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'`-sh-4.2$ echo $TOKEN
  PKIZ_eJy9Wltz2kq3fJ9fcd537YoukISH70EgIUQ8owgLiZk3JDm6ji8fNkL69acHcLYhTgLZp46rXBhjadZa06u718h__42vseN67H8m9Fa9-ZtQz-PfLD7_8iC8YpsyK0gnD_hdEk4mrltPrMDZTUJrNs6X_7VzOnGryWT67LmT2yf31ktMYgfOzFrjlxvq5MX6w1031xLjuUlK76M325RJHGlrd1SnHd5PN2XqTvvUzLapDMrVbZsT736-Tdyo96qHPDY35ToOSr-0SmrMpXB5y6txzftcZ_YUr_XAj6eFqOaVHwc7P1zqRMS8vJlYZSKnz-IWq0zmDyKeaiuTaTxm_10ZIzORUefdaxsV0esCvp32wnVMIuzlgLqLmtm892NvKCpRU9vZYdWdCKeShen5AoVw9ceknI8OKchokLpNJ1bsG18dw6-sHZtorT_RdnQatLR66PHdstuBznpnSO1s7ZVt7t2PO5IYjw031YXjT55cbJN4-vhawNdwhRtJvoo22cTbIIIXHuuNqplXLxoi5FRPZkH5DeF4sqn3H1RUp8aiYXEw9GPa-_ZCsmpc0CormBsMREV7FgY9j5c7sg9FDoskXr6u9px085HKmxtTFHK3FfstfEaE0YuYjbfreKilx99hG6MumRyqn80WrV9-3tKw7m4qx_Angx2q_ULD9CNeTdqNerGaG-uYNWk3shN3hG085NWJOHtMjME-iqWM7tfx6CU0hs0hwuYlc6MO6VbHnWizeL5Zx7QkKtTXYjGJvF1Hp2HTHH4WDatqE-CpARzdt62dsMeSht6-ZkCtTlLZ7i9ezxZaaj9sb9Q2lYMdq3KEnptIxfSr3GQ93aZG1GWyqcSKboN48byOB4cI0mPI-x1o5o0wmm1Sj14QrkrvMblfNKkUBTcOhebHi9W15Ptehw6wDezLwOAx75ktCiE9vBalH2YNYGtghwrWB9_DV9GTPwrf2G0zLLyP4NrwFQawlUBje57CtGDhuGSVN6D2uGC2Y1K7KERIh6wKhtRlktlpRw2kEGnq5trdatyQ_coyqmh5WFHsQeVhu0RBDa5Tmxsi9jQmnc53gyHrl70fiho_7xheCSvPGmR_MwXl8bvQPUcu-RV0WTky6O1nNA6rRRjVftigjXJNVNit0DN5uKiJ7_Ke9kuNGtOG3l4Pa_IW129hTeWioiGrqEuRu9Mx2xrSqmhEVQ95DFYKPQPY6UFpzgkwLsMF32aVs0XkuIG71IWNu_Z0wFxuULWa4WjCLiTtKdiYYTWn_BnkyTWg-YfiVPi54duOQXjFNdBUhwqXPHRaVqVDIZkUttci_9-mR36V3yXpkV_ld0lLnzCSqKKSS96r1mZ2A7EB-0rPVMARknZICWyl0uTf-4Gohtivei-2ySx6fl3x2BMdQ7FYj2_DG4jQ0kS4HGIRNNUCzQdtpHKJPxLVjz3BHhPwYvqbviCXULoqKDQSxfVe6BmLkwtp_CioJ-lpPBxLQsOlgRSkj_w4quzviSXYCVdAZHMAJh2wyTGNd0SIvBcyC62WTtDK5aA9qPBxW8v9xbeH8IdfE7l83cY9ZCUMxXFHxjqXu0fevQ153nBFNlVT-LanC5cihXlD_Ji3LCxqoKxnfQQKTwe0-3nI5xGTa0M-j_hIqoeqw8Zsjrtw8AkSCIxF44NgVbigMPgEAAjIhIaaYHJlMKKCIy_vXs_U3bNZ0x637hFKhBs32t0pOsHUTYVWhujSAaHuUlN35FUGR4JGBmwpHIqADohzSyOfm7sVg48EXo6uDTZvWKfuSHXbd6-YreabwwWFls2sjzfdZ-gmUBjyAQo4YB1orn8YsD7VyI3J-2sL97Zu5IfCVdjfyjOpnMOZco1WC0ldPvBd9IMLlMZLoJNqYOxSpUFUHteEfB4xuTzkaZ3EzctZtDBZIYTTWJowEOC_RcV6dF4FYMUBEJo1tMfnvfhe9fNoyTXh_ttmgmfgJjccOFcOngR-0FwEnqgDx-2gd9A9GOswavzbgxP37hfD1D2ysDF6TmcRFjpGdawDekHUDMosKlh9u2ioHWgwVmjZAKt5ndJuXs1LDlo7t8WJHEGZ1B2PBfoTVJI3RTNQtO6mv9ypq4jI9RA-xcOBD6pgR1FRP56jG5s9qdIepIpIqL0c-m6kIuqopNo5HsgF8P1lauRnuV2aGvk1eDyYzBTYwKq2MhXoTggsj6cV7wsoNSsRQYo_ynV-ezkTv7WBhJa_9oG_s4HkAl08mgsgcHImNAaThMVT6ceQeOlogPEAbKvzyuqUuUbumGoxyXY_9kYmR5sMZEsg2eXp3ATqgi_BnqAfeIe5qfZtZTJEwyu626MSo7J_tEbkzUxcYWtqNdb935ntvdz9P5jt99zHUIDOMVwMOOZFWDsNxe15mA-FO5eQQ3yGgcN1NMLLPwDQm9TInwLoNTVyyXz8dptBbUPIwEAoIxrSlqATDWrn8MV0xyunhZzBqeYDZgQXzRHk1GgHygtebLSVz_6j2fntHHFqtl2-ozFWCjPQGeYIO4dSFxW1Uw2q3MHSVHDpDe_Td8y2ZNtkNdYzd3naG32x50pe5bhBrobyBsNXzWOvhcMzoUxzeKR8SKV3fl70kpii-J1mkAt8AfBAfyqy5HpPgHkBn4MTSyWJRJEIVVO7jZnEBsvE1KTwhOh342ee4G2k5NJQ_9CpAlBVVgnMTojUAMUZ6JOCKucaTwsolUFgFHRsj3lJuO9Fe724ngkQeaVoZkOF3HlD4VRYDB_YY4qxnZbaNawwGLtftr4Nnzg5Zej9zJT2py0Ld6JOKxFkUQgJZrItyFoD5sLMaIiSVcudsC1wh3XohTfo678PGxcw8k9nJt8-DiAXkCy5cMQDF2AUAOnsO9ZWNbJMH7YAdt_rIW0YoBQH0qG4kmTJNeG-J7zkfeX1sNfBjqPyPoyn8kYC4gtthM1XcxQsf7wA6dAdYVcbi9OIyZ8ehb7ihhwO4nJDnRX5IcQlzFBtBkQCNHZWsdCD2AfgySU-804O4o42j20SM6qFHHVJPNX27HxCIPAGmOzQdHBwDka-wGQVdksdpdsZTJaBldw55sBxc26m125UZBO9EnLwKjJNIhdtYiC1GVWn4Qm54gQLjRX8cMJD_vQE61V4yHvKg8GiTNymOq0FuLMP1LTSqhN-Fi4aEYMTMeYCwpYuqrz3Xdr6YT28hp2IMtTUttSAtbt2VlBsRv7NrHCcmVKD2bXB0JU09HZgXmgecjSQs_JHvTXc59wH7-oE-dWscElq5N_MChcIC1Jy0QuhaJihzhiDnYjVdjoD9M2QxbwDlAODhan2zhHINpXsQayYlsp3ekTSFvwwUAeSBoxCxzC1onDwROpIcIkP4ZlgKrmMivd75MAj5FL6fpdcQm9Ijmfq13Lhd-Ymbw_k0QtDeEUdcDYomBqqVMO5dqKKJFVp9l6LQb19ezh30XmiCvVnkZJrOXDv3CoPPsHCzWB1eZh28IPoSFQdwMAI3IATlYDqzPCuPVeuQazeVcfE5HfH4EzC0qjTzR4EAhKFPmL4qHdg65b2XCPqEQA30HXS-YGyUZNnHmfNKQIDGI5FJdxAZ2Gug1CCIbZswCUGq0qprwN-VKQ5L394EmjsikSCG46wFyu0M3C-t6535n51XT1P2r_v5nVi6IU6_j48zHyNAKkcn1Gez42OiEWRxbvDIcM_Iy56QzF0ig7k-_Ml5egBOOxciqErjNSJzUA9yWPd-fnhkcKON8S4pUOVT57NkpOHs-HZw9l-vka-I8q9cR5OJtZKU0_C25U9XtFg004CbpMoCOC95tGyd3xqta6lL52J1U6jeNiLVbCzK4uOcxaNrZSOo-gFNdJoMGhti9u49guxrShK7lmT2Q6nY76_gdW2XzMzM29khMFTbxN3-aJOsqzcGVMrdce3G99qvTW1NJe8PoS3A2dsBUtr7Hlj68tsuKSP34y01bRb52ZR3JW5cZPkT3fR8871k8H9aJazPPf-YmSDgebjt8-Txpw_fWweh5sb_d4LiqfJk_H08LRsfJnxu8w2W8u57Tdlf2O1mlfYi7mApfXkmNw7o9FdEn7S9O5ZluvGX_vRdnNXZ479wJr0r_rGvM9XyUP6afXp220c8S-beLv5Nh820YPrfv5APr_8lWsvvfkxHqyf3fBBFgbrVvfN3br4_NXQXfPRK26ah2L-ceanw0D_-Nlf3_ibm9nyORiX4zuSc5F7pqw_hRb3afCtcMxqNPHr1eOH1PbCeCDks-vo2V_PjzJ7-Tqb3mnh0_Iz_TQzWPChqskHf2Hf3saJ-bJOvu6m4ZcyHGqDZJ58eJrsnnotv9lmszbLdxX_D9n_04TD7H_-geJ_AcEXH5I=

  curl -v -si -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/domains
  (debugging removed)

  * Connection #0 to host localhost left intact
  {"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}

  Put a debugging breakpoint

  --- a/keystone/middleware/core.py
  +++ b/keystone/middleware/core.py
  @@ -253,6 +253,8 @@ class AuthContextMiddleware(wsgi.Middleware):
           context['environment'] = request.environ

           try:
  +            from remote_pdb import RemotePdb
  +           RemotePdb('0.0.0.0', 4444).set_trace()
               token_ref = self.token_api.get_token(token_id)
               # TODO(ayoung): These two functions return the token in different
               # formats instead of two calls, only make one.  However, the call

  Shows that the unique Id  calculated inside self.token_api.get_token  does not match what the token table has in it.
  Its using the SQL provider, and that delegates to the new persistance API, which in turn gets the unique ID from the token_provider.  Note that this should be calling the token_provider directly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1354765/+subscriptions
References

[Bug 1354765] [NEW] Valid V3 tokens reported as invalid
From: Adam Young, 2014-08-10