← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #63730

[Bug 1687593] [NEW] Create OAUTH request token gives 401 error when request url is admin endpoint

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Create request token API returns 401 error when the request URL is admin
endpoint.

Error scenario:
URL used to generate OAUTH signature and for POST request is Keystone admin endpoint
http://<keystone ip:port>/identity_admin/v3/OS-OAUTH1/request_token

Working scenario:
When the URL used to generate OAUTH signature is public endpoint, then the response is 201. 
http://<keystone ip:port>/identity/v3/OS-OAUTH1/request_token

Endpoints in devstack for identity:
ocata@ocata-VirtualBox:~/devstack$ openstack endpoint list | grep identity
| 549f73e17b0e471e95176bb508561bb3 | RegionOne | keystone     | identity          | True    | internal  | http://192.168.56.101/identity                    |
| 739cda51666f4ab197241beac5c5c14c | RegionOne | keystone     | identity          | True    | admin     | http://192.168.56.101/identity_admin              |
| a0eb39c0ecff46c3b61bc6184c42bc13 | RegionOne | keystone     | identity          | True    | public    | http://192.168.56.101/identity


Steps to reproduce the problem:

Run the python script in the below link (by changing the necessary credentials and IP address)
https://pastebin.com/AqL9674n

If #L38 is modified to public endpoint (http://<keystone
ip:port>/identity/v3/OS-OAUTH1/request_token), the status code is 201.

Seems like Keystone code verifies the OAUTH signature using Public
endpoint irrespective of the request URL.

** Affects: keystone
     Importance: Undecided
     Assignee: Hemanth Nakkina (hemanth-n)
         Status: New

** Affects: python-keystoneclient (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: python-keystoneclient (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1687593

Title:
  Create OAUTH request token gives 401 error when request url is admin
  endpoint

Status in OpenStack Identity (keystone):
  New
Status in python-keystoneclient package in Ubuntu:
  New

Bug description:
  Create request token API returns 401 error when the request URL is
  admin endpoint.

  Error scenario:
  URL used to generate OAUTH signature and for POST request is Keystone admin endpoint
  http://<keystone ip:port>/identity_admin/v3/OS-OAUTH1/request_token

  Working scenario:
  When the URL used to generate OAUTH signature is public endpoint, then the response is 201. 
  http://<keystone ip:port>/identity/v3/OS-OAUTH1/request_token

  Endpoints in devstack for identity:
  ocata@ocata-VirtualBox:~/devstack$ openstack endpoint list | grep identity
  | 549f73e17b0e471e95176bb508561bb3 | RegionOne | keystone     | identity          | True    | internal  | http://192.168.56.101/identity                    |
  | 739cda51666f4ab197241beac5c5c14c | RegionOne | keystone     | identity          | True    | admin     | http://192.168.56.101/identity_admin              |
  | a0eb39c0ecff46c3b61bc6184c42bc13 | RegionOne | keystone     | identity          | True    | public    | http://192.168.56.101/identity

  
  Steps to reproduce the problem:

  Run the python script in the below link (by changing the necessary credentials and IP address)
  https://pastebin.com/AqL9674n

  If #L38 is modified to public endpoint (http://<keystone
  ip:port>/identity/v3/OS-OAUTH1/request_token), the status code is 201.

  Seems like Keystone code verifies the OAUTH signature using Public
  endpoint irrespective of the request URL.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1687593/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next