yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #29775
[Bug 1419114] Re: Nova api 'Authorization failed for token' with federated scoped token
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1419114
Title:
Nova api 'Authorization failed for token' with federated scoped token
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
OpenStack Release: Juno
I am investigated k2k and I'm seeing the following behavior
I have setup a keystone 2 keystone environment.
I get a unscoped federated token
I then get a project scoped token from the unscoped.
I attempt to something simple by listing the flavors
-- curl -i -X GET -H "X-Auth-Token:eb2966a9b55e4836907b956b79187341"
http://keystone.service.provider:8774/v2/031a04fd26da4d74b9d2375de2d80be0/flavors
I see this in the nova api.log:
-------------------------------
2015-02-06 10:20:32.787 3970 WARNING keystonemiddleware.auth_token [-] Authorization failed for token
2015-02-06 10:20:32.788 3970 INFO nova.osapi_compute.wsgi.server [-] 9.10.111.91 "GET /v2/031a04fd26da4d74b9d2375de2d80be0/flavors HTTP/1.1" status: 401 len: 261 time: 0.0038319
I see this in the keystone.log:
-------------------------------
2015-02-06 10:55:00.753 5910 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.6/site-packages/keystone/common/controller.py:155
2015-02-06 10:55:00.769 5910 ERROR keystone.common.wsgi [-] 'domain'
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 223, in __call__
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi result = method(context, **params)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/controller.py", line 156, in inner
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi return f(self, context, *args, **kwargs)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 445, in validate_token
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi return self.token_provider_api.validate_v2_token(token_id, belongs_to)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/provider.py", line 246, in validate_v2_token
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi token = self._validate_v2_token(token_ref)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/dogpile/cache/region.py", line 1008, in decorate
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi should_cache_fn)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/dogpile/cache/region.py", line 637, in get_or_create
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi async_creator) as value:
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/dogpile/core/dogpile.py", line 158, in __enter__
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi return self._enter()
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/dogpile/core/dogpile.py", line 98, in _enter
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi generated = self._enter_create(createdtime)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/dogpile/core/dogpile.py", line 149, in _enter_create
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi created = self.creator()
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/dogpile/cache/region.py", line 609, in gen_value
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi created_value = creator()
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/dogpile/cache/region.py", line 1004, in creator
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi return fn(*arg, **kw)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/provider.py", line 329, in _validate_v2_token
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi return self.driver.validate_v2_token(token_id)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 540, in validate_v2_token
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi self._assert_default_domain(token_ref)
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/providers/common.py", line 502, in _assert_default_domain
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi if (token_ref['token_data']['token']['user']['domain']['id'] !=
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi KeyError: 'domain'
2015-02-06 10:55:00.769 5910 TRACE keystone.common.wsgi
The token body of the scoped token is:
--------------------------------------
{
"token": {
"methods": [
"saml2"
],
"roles": [
{
"id": "29c93633be764f5ba0f5c8a35e676192",
"name": "admin"
},
{
"id": "9cec6650f92b4c7dadf8dd721c63ca86",
"name": "service"
}
],
"expires_at": "2015-02-07T16:16:03.637035Z",
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "031a04fd26da4d74b9d2375de2d80be0",
"name": "admin"
},
"catalog": [
{
"endpoints": [
{
"url": "http://keystone.service.provider:35357/v2.0";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "ab52a310422a42639ffa19ad7dcd02bf"
},
{
"url": "http://keystone.service.provider:5000/v2.0";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "b0bc001ae06543ba94aa717a21fe6ed7"
},
{
"url": "http://keystone.service.provider:5000/v2.0";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "e84eaf1089234a53902072059f7d8e33"
}
],
"type": "identity",
"id": "19b22a8988d84f5cb1fa4bd591fa9bec",
"name": "keystone"
},
{
"endpoints": [
{
"url": "http://keystone.service.provider:9696";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "66986ddfbe5d417882ddbb4588ea0a2a"
},
{
"url": "http://keystone.service.provider:9696";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "d47a8bfcb8154618b4d57feafb5fd7ce"
},
{
"url": "http://keystone.service.provider:9696";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "f237d327d52c44a9902bf0a633c8caf5"
}
],
"type": "network",
"id": "5f50b822e83b495eaa66ffa4853ee67a",
"name": "neutron"
},
{
"endpoints": [
{
"url": "http://keystone.service.provider:8776/v2/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "3c273aca09824e8fb81f6ce6929adb52"
},
{
"url": "http://keystone.service.provider:8776/v2/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "4aff46491fcb4fda8d54aa45ab95f8ef"
},
{
"url": "http://keystone.service.provider:8776/v2/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "878bee15c2344b34b87590dcc5e329c8"
}
],
"type": "volumev2",
"id": "6d9fb0c614374ad997df7ded7d3c95f4",
"name": "cinderv2"
},
{
"endpoints": [
{
"url": "http://keystone.service.provider:8000/v1";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "4179c8f8dc7a40d38298806d1d3203e1"
},
{
"url": "http://keystone.service.provider:8000/v1";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "512ca87f27b64818bba3322ce162dd06"
},
{
"url": "http://keystone.service.provider:8000/v1";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "e7fbe151a83c41e49f310eec7de26955"
}
],
"type": "cloudformation",
"id": "7684b358a3ef4337a3778586607e378f",
"name": "heat-cfn"
},
{
"endpoints": [
{
"url": "http://keystone.service.provider:8774/v2/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "3b5b576551af4620919db2702b56fdf1"
},
{
"url": "http://keystone.service.provider:8774/v2/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "3de92054cd2a41a8ab4892acea29a1bf"
},
{
"url": "http://keystone.service.provider:8774/v2/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "c66d0eead768418492874eaafe02fa57"
}
],
"type": "compute",
"id": "a8390a9c621a45ed9069eb032077cb8f",
"name": "nova"
},
{
"endpoints": [
{
"url": "http://keystone.service.provider:8777";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "3642e8b2404f4e31ad7bed7316176a74"
},
{
"url": "http://keystone.service.provider:8777";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "384d2b4982e84eb4a6d552c3c502943b"
},
{
"url": "http://keystone.service.provider:8777";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "b0694e4208074ed28745db6c9608389e"
}
],
"type": "metering",
"id": "dd0f2f66ca624408bc82c7eb55ef65b1",
"name": "ceilometer"
},
{
"endpoints": [
{
"url": "http://keystone.service.provider:8004/v1/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "218337fa2dc44b3b9cee2368a399ed56"
},
{
"url": "http://keystone.service.provider:8004/v1/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "5d25864dde854bfc83839076bc30e774"
},
{
"url": "http://keystone.service.provider:8004/v1/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "ab5f112637a34ba2833a377360b1b5a9"
}
],
"type": "orchestration",
"id": "e0b42767b3f247ee8124ab5bbbf232eb",
"name": "heat"
},
{
"endpoints": [
{
"url": "http://keystone.service.provider:9292";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "b5d954ae40b5496bb476cbd7010aabdc"
},
{
"url": "http://keystone.service.provider:9292";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "cca308367f274c5cbe91cd540bb5ee9c"
},
{
"url": "http://keystone.service.provider:9292";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "e055c8c3d94c4201907a70708a0c177a"
}
],
"type": "image",
"id": "e6a478cfa5e24bcfa3c876b745fad4ed",
"name": "glance"
},
{
"endpoints": [
{
"url": "http://keystone.service.provider:8776/v1/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "internal",
"region": "Region02",
"region_id": "Region02",
"id": "35b10b4ebd26424d98a7b09a7d623783"
},
{
"url": "http://keystone.service.provider:8776/v1/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "admin",
"region": "Region02",
"region_id": "Region02",
"id": "867b7b6699d041eaad407f629d8c73b3"
},
{
"url": "http://keystone.service.provider:8776/v1/031a04fd26da4d74b9d2375de2d80be0";,
"interface": "public",
"region": "Region02",
"region_id": "Region02",
"id": "d7eca9c32e594ce8b84afe8784abcf0e"
}
],
"type": "volume",
"id": "f3b990f618424bac91d153bd1b3190d1",
"name": "cinder"
}
],
"extras": {},
"user": {
"OS-FEDERATION": {
"identity_provider": {
"id": "Wisconsin"
},
"protocol": {
"id": "saml2"
}
},
"id": "admin",
"name": "admin"
},
"audit_ids": [
"HY3ENddAQRCkbX68mkI7Uw"
],
"issued_at": "2015-02-06T16:16:03.637076Z"
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1419114/+subscriptions
References
