← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1603038] Re: Execption on admin_token usage ValueError: Unrecognized

 

Reviewed:  https://review.openstack.org/344496
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e420b16c22288c0a8cb9b1337e56f04ca1ef8737
Submitter: Jenkins
Branch:    master

commit e420b16c22288c0a8cb9b1337e56f04ca1ef8737
Author: Colleen Murphy <colleen@xxxxxxxxxxx>
Date:   Tue Jul 19 15:41:24 2016 -0700

    Skip middleware request processing for admin token
    
    In be558717 the request handling was refactored and more of the token
    handling was left to keystonemiddleware. However, when using the
    deprecated admin_token, the token needs to be handled differently.
    Specifically, there may be no 'token' or 'access' key in the body of
    the request, which keystoneauth expects to have keystonemiddleware pass
    to it[1][2]. Luckily the admin_token doesn't need a lot of special
    processing, so we can just skip that step and move on to fill_context.
    
    [1] http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n399
    [2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/access/access.py#n41
    
    Closes-bug: #1603038
    
    Change-Id: Iac4a5769072925fe2f36768c8f31816e6866f2f6


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1603038

Title:
  Execption on admin_token usage ValueError: Unrecognized

Status in OpenStack Identity (keystone):
  Fix Released
Status in keystonemiddleware:
  Invalid

Bug description:
  1. iniset keystone.conf DEFAULT admin_token deprecated
  2. reload keystone (systemctl restart httpd)
  3. curl -g -i -X GET http://192.168.9.98/identity_v2_admin/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: deprecated"


  I know the admin_token is deprecated, but is should be handled without
  throwing an extra exception.


  2016-07-14 11:00:28.487 20453 WARNING keystone.middleware.core [req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] The admin_token_auth middleware presents a security risk and should be removed from the [pipeline:api_v3], [pipeline:admin_api], and [pipeline:public_api] sections of your paste ini file.
  2016-07-14 11:00:28.593 20453 DEBUG keystone.middleware.auth [req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Authenticating user token process_request /usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py:354
  2016-07-14 11:00:28.593 20453 WARNING keystone.middleware.auth [req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Invalid token contents.
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth Traceback (most recent call last):
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth   File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 399, in _do_fetch_token
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth     return data, access.create(body=data, auth_token=token)
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth   File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth     return wrapped(*args, **kwargs)
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth   File "/usr/lib/python2.7/site-packages/keystoneauth1/access/access.py", line 49, in create
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth     raise ValueError('Unrecognized auth response')
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth ValueError: Unrecognized auth response
  2016-07-14 11:00:28.593 20453 TRACE keystone.middleware.auth 
  2016-07-14 11:00:28.594 20453 INFO keystone.middleware.auth [req-f13bf34e-4b80-4c2b-8e47-646ce5665abf - - - - -] Invalid user token
  2016-07-14 11:00:28.595 20453 DEBUG keystone.middleware.auth [req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] RBAC: auth_context: {} fill_context /opt/stack/keystone/keystone/middleware/auth.py:219
  2016-07-14 11:00:28.604 20453 INFO keystone.common.wsgi [req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] GET http://192.168.9.98/identity_v2_admin/v2.0/users
  2016-07-14 11:00:28.604 20453 WARNING oslo_log.versionutils [req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] Deprecated: get_users of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q.
  2016-07-14 11:00:28.622 20453 DEBUG oslo_db.sqlalchemy.engines [req-d1c79cbf-698f-4844-9efd-7be444040cf0 - - - - -] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _check_effective_sql_mode /usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/engines.py:256

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1603038/+subscriptions


References