yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1567025] [NEW] Can't use TokenManager. authenticate() with publicurl

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Joe D'Andrea <jdandrea@xxxxxxxxxxxxxxxx>
Date: Wed, 06 Apr 2016 18:39:37 -0000
Reply-to: Bug 1567025 <1567025@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

See attached example.py for sample code and context.

Create a v2 client object:

* Use publicurl as the auth_url endpoint
* Use credentials that confer an admin role

Call client.tokens.authenticate() using any valid token/tenant_id.

The call fails when adminurl is unreachable.

Expectation is that publicurl would be used as the auth_url endpoint,
however ...

>From https://github.com/openstack/python-
keystoneclient/blob/master/keystoneclient/v2_0/tokens.py#L61

 # NOTE(jamielennox): try doing a regular admin query first. If there is
 # no endpoint that can satisfy the request (eg an unscoped token) then
 # issue it against the auth_url.
 try:
     token_ref = self._post(*args, **kwargs)
 except exceptions.EndpointNotFound:
     kwargs['endpoint_filter'] = {'interface': auth.AUTH_INTERFACE}

Our keystone adminurl is intentionally on a private network and
*unreachable* from where example.py is running (in a VM).

After quite a while, an exception is raised
(keystoneauth1.exceptions.ConnectFailure) and auth_url is never tried.

Meanwhile, a direct API call, skipping python-keystoneclient, works
fine:

* POST to publicurl, /v2/tokens, from the same location/VM
* Use X-Auth-Token of someone with an admin role
* Pass in the same valid token/tenant_id as before.

Additionally, a CLI call such as "nova list" (using the same credentials
and conferred admin role) also works.

** Affects: keystone
     Importance: Undecided
         Status: New

** Attachment added: "example.py"
   https://bugs.launchpad.net/bugs/1567025/+attachment/4626392/+files/example.py

** Description changed:

  See attached example.py for sample code and context.
  
  Create a v2 client object:
  
  * Use publicurl as the auth_url endpoint
  * Use credentials that confer an admin role
  
  Call client.tokens.authenticate() using any valid token/tenant_id.
  
  The call fails when adminurl is unreachable.
  
  Expectation is that publicurl would be used as the auth_url endpoint,
  however ...
  
  From https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/v2_0/tokens.py#L61
  
-         # NOTE(jamielennox): try doing a regular admin query first. If there is
-         # no endpoint that can satisfy the request (eg an unscoped token) then
-         # issue it against the auth_url.
-         try:
-             token_ref = self._post(*args, **kwargs)
-         except exceptions.EndpointNotFound:
-             kwargs['endpoint_filter'] = {'interface': auth.AUTH_INTERFACE}
+  # NOTE(jamielennox): try doing a regular admin query first. If there is
+  # no endpoint that can satisfy the request (eg an unscoped token) then
+  # issue it against the auth_url.
+  try:
+      token_ref = self._post(*args, **kwargs)
+  except exceptions.EndpointNotFound:
+      kwargs['endpoint_filter'] = {'interface': auth.AUTH_INTERFACE}
  
  Our keystone adminurl is intentionally on a private network and
  *unreachable* from where example.py is running (in a VM).
  
  After quite a while, an exception is raised
  (keystoneauth1.exceptions.ConnectFailure) and auth_url is never tried.
  
  Meanwhile, a direct API call, skipping python-keystoneclient, works
  fine:
  
  * POST to publicurl, /v2/tokens, from the same location/VM
  * Use X-Auth-Token of someone with an admin role
  * Pass in the same valid token/tenant_id as before.
  
  Additionally, a CLI call such as "nova list" (using the same credentials
  and conferred admin role) also works.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1567025

Title:
  Can't use TokenManager. authenticate() with publicurl

Status in OpenStack Identity (keystone):
  New

Bug description:
  See attached example.py for sample code and context.

  Create a v2 client object:

  * Use publicurl as the auth_url endpoint
  * Use credentials that confer an admin role

  Call client.tokens.authenticate() using any valid token/tenant_id.

  The call fails when adminurl is unreachable.

  Expectation is that publicurl would be used as the auth_url endpoint,
  however ...

  From https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/v2_0/tokens.py#L61

   # NOTE(jamielennox): try doing a regular admin query first. If there is
   # no endpoint that can satisfy the request (eg an unscoped token) then
   # issue it against the auth_url.
   try:
       token_ref = self._post(*args, **kwargs)
   except exceptions.EndpointNotFound:
       kwargs['endpoint_filter'] = {'interface': auth.AUTH_INTERFACE}

  Our keystone adminurl is intentionally on a private network and
  *unreachable* from where example.py is running (in a VM).

  After quite a while, an exception is raised
  (keystoneauth1.exceptions.ConnectFailure) and auth_url is never tried.

  Meanwhile, a direct API call, skipping python-keystoneclient, works
  fine:

  * POST to publicurl, /v2/tokens, from the same location/VM
  * Use X-Auth-Token of someone with an admin role
  * Pass in the same valid token/tenant_id as before.

  Additionally, a CLI call such as "nova list" (using the same
  credentials and conferred admin role) also works.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1567025/+subscriptions
Follow ups

[Bug 1567025] Re: Can't use TokenManager. authenticate() with publicurl
From: Dolph Mathews, 2016-07-06