yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #64593
[Bug 1696308] [NEW] list revoked tokens API returns 500 InternalServerError
Public bug reported:
list revoked tokens API returns 500 InternalServerError
The documentation [1] says that the API should return list of expired PKI tokens, signed by the cryptographic message syntax (CMS) but
I am using token format as UUID.
[1] https://developer.openstack.org/api-ref/identity/v3/?expanded=list-
revoked-tokens-detail#list-revoked-tokens
Sample program:
1 from keystoneauth1.identity import v3
2 from keystoneauth1 import session
3 from keystoneclient.v3 import client
4 auth = v3.Password(auth_url='http://<host-ip>/identity/v3',
5 user_id=<user_id>,
6 password=<password>,
7 project_id=<project-id>)
8 sess = session.Session(auth=auth)
9 keystone = client.Client(session=sess)
10
11 a = keystone.tokens.get_revoked()
The API which is getting used is below:
GET http://<host-ip>/identity/v3/auth/tokens/OS-PKI/revoked
Curl command:
$ curl -g -i -X GET http://10.232.48.201/identity/v3/auth/tokens/OS-PKI/revoked -H "X-Auth-Token: eb8fc9de9d154c6daa6b26a14d7c4e0f"
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Jun 2017 05:51:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 143
x-openstack-request-id: req-a6517dc2-08ac-4d62-8d21-c3405159e1f3
Connection: close
{"error": {"message": "An unexpected error prevented the server from
fulfilling your request.", "code": 500, "title": "Internal Server
Error"}}
command prompt traceback:
Traceback (most recent call last):
File "3_keystoneclient_program.py", line 12, in <module>
a = keystone.tokens.get_revoked()
File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
return wrapped(*args, **kwargs)
File "/opt/stack/python-keystoneclient/keystoneclient/v3/tokens.py", line 62, in get_revoked
resp, body = self._client.get(path)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 223, in get
return self.request(url, 'GET', **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 382, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 148, in request
return self.session.request(url, method, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
return wrapped(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 655, in request
raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.InternalServerError: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7004583f-3556-4b38-877a-b7669b3df3f8)
Keystone logs:
2017-06-07 11:07:13.262 DEBUG keystone.middleware.auth [req-78ad2fdd-6a2d-4489-96c0
-98c7373b3eb2 None None] Authenticating user token from (pid=9498) process_request
/usr/local/lib/python2.7/dist-packages/keystonemiddleware/auth_token/__init__.py:40
1
2017-06-07 11:07:13.270 DEBUG keystone.middleware.auth [req-44f7294f-8430-48d3-b9a6
-4f531544c893 None None] RBAC: auth_context: {'is_delegated_auth': False, 'access_t
oken_id': None, 'user_id': u'3ad182b5723d4e88b97ea7a52bf50cea', 'roles': [u'admin']
, 'user_domain_id': u'default', 'consumer_id': None, 'trustee_id': None, 'is_domain
': False, 'is_admin_project': True, 'trustor_id': None, 'token': <KeystoneToken (au
dit_id=lYYEPEZaT_m5X-15TEepPQ, audit_chain_id=lYYEPEZaT_m5X-15TEepPQ) at 0x7f9872b4
f3c8>, 'project_id': u'c76af8728a56496fb67c6ace6e78657d', 'trust_id': None, 'projec
t_domain_id': u'default'} from (pid=9498) fill_context /opt/stack/keystone/keystone
/middleware/auth.py:239
2017-06-07 11:07:13.271 INFO keystone.common.wsgi [req-44f7294f-8430-48d3-b9a6-4f53
1544c893 None None] GET http://10.232.48.201/identity/v3/auth/tokens/OS-PKI/revoked
2017-06-07 11:07:13.271 DEBUG keystone.common.authorization [req-44f7294f-8430-48d3
-b9a6-4f531544c893 None None] RBAC: Authorizing identity:revocation_list() from (pi
d=9498) _build_policy_check_credentials /opt/stack/keystone/keystone/common/authori
zation.py:136
2017-06-07 11:07:13.272 DEBUG keystone.policy.backends.rules [req-44f7294f-8430-48d
3-b9a6-4f531544c893 None None] enforce identity:revocation_list: {'is_delegated_aut
h': False, 'access_token_id': None, 'user_id': u'3ad182b5723d4e88b97ea7a52bf50cea',
'roles': [u'admin'], 'user_domain_id': u'default', 'consumer_id': None, 'trustee_i
d': None, 'is_domain': False, 'is_admin_project': True, 'trustor_id': None, 'token'
: <KeystoneToken (audit_id=lYYEPEZaT_m5X-15TEepPQ, audit_chain_id=lYYEPEZaT_m5X-15TEepPQ) at 0x7f9872b4f3c8>, 'project_id': u'c76af8728a56496fb67c6ace6e78657d', 'trust_id': None, 'project_domain_id': u'default'} from (pid=9498) enforce /opt/stack/keystone/keystone/policy/backends/rules.py:33
2017-06-07 11:07:13.274 DEBUG keystone.common.authorization [req-44f7294f-8430-48d3-b9a6-4f531544c893 None None] RBAC: Authorization granted from (pid=9498) check_policy /opt/stack/keystone/keystone/common/authorization.py:240
Wed Jun 7 09:49:23 2017 - SIGPIPE: writing to a closed pipe/socket/fd (probably th
e client disconnected) on request /identity/v3/auth/tokens/OS-PKI/revoked (ip 10.23
2.48.201) !!!
2017-06-07 09:49:23.972 ERROR keystoneclient.common.cms [req-7004583f-3556-4b38-877
a-b7669b3df3f8 None None] Signing error: Unable to load certificate - ensure you ha
ve configured PKI with "keystone-manage pki_setup"
2017-06-07 09:49:23.972 ERROR keystone.common.wsgi [req-7004583f-3556-4b38-877a-b76
69b3df3f8 None None] Command 'openssl' returned non-zero exit status 3: CalledProce
ssError: Command 'openssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi Traceback (most recent call last
):
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/common/wsgi.py", line 228, in __call__
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi result = method(req, **param
s)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/common/controller.py", line 94, in inner
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi return f(self, request, *arg
s, **kwargs)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/auth/controllers.py", line 350, in revocation_list
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi CONF.signing.keyfile)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7
/dist-packages/keystoneclient/common/cms.py", line 336, in cms_sign_text
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi signing_key_file_name, messa
ge_digest=message_digest)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7
/dist-packages/keystoneclient/common/cms.py", line 384, in cms_sign_data
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi raise subprocess.CalledProce
ssError(retcode, 'openssl')
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi CalledProcessError: Command 'ope
nssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi
[pid: 9498|app: 0|req: 13930/27834] 10.232.48.201 () {58 vars in 1084 bytes} [Wed J
un 7 09:49:23 2017] GET /identity/v3/auth/tokens/OS-PKI/revoked => generated 143 b
ytes in 67 msecs (HTTP/1.1 500) 5 headers in 196 bytes (1 switches on core 0)
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1696308
Title:
list revoked tokens API returns 500 InternalServerError
Status in OpenStack Identity (keystone):
New
Bug description:
list revoked tokens API returns 500 InternalServerError
The documentation [1] says that the API should return list of expired PKI tokens, signed by the cryptographic message syntax (CMS) but
I am using token format as UUID.
[1] https://developer.openstack.org/api-ref/identity/v3/?expanded
=list-revoked-tokens-detail#list-revoked-tokens
Sample program:
1 from keystoneauth1.identity import v3
2 from keystoneauth1 import session
3 from keystoneclient.v3 import client
4 auth = v3.Password(auth_url='http://<host-ip>/identity/v3',
5 user_id=<user_id>,
6 password=<password>,
7 project_id=<project-id>)
8 sess = session.Session(auth=auth)
9 keystone = client.Client(session=sess)
10
11 a = keystone.tokens.get_revoked()
The API which is getting used is below:
GET http://<host-ip>/identity/v3/auth/tokens/OS-PKI/revoked
Curl command:
$ curl -g -i -X GET http://10.232.48.201/identity/v3/auth/tokens/OS-PKI/revoked -H "X-Auth-Token: eb8fc9de9d154c6daa6b26a14d7c4e0f"
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Jun 2017 05:51:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 143
x-openstack-request-id: req-a6517dc2-08ac-4d62-8d21-c3405159e1f3
Connection: close
{"error": {"message": "An unexpected error prevented the server from
fulfilling your request.", "code": 500, "title": "Internal Server
Error"}}
command prompt traceback:
Traceback (most recent call last):
File "3_keystoneclient_program.py", line 12, in <module>
a = keystone.tokens.get_revoked()
File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
return wrapped(*args, **kwargs)
File "/opt/stack/python-keystoneclient/keystoneclient/v3/tokens.py", line 62, in get_revoked
resp, body = self._client.get(path)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 223, in get
return self.request(url, 'GET', **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 382, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 148, in request
return self.session.request(url, method, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
return wrapped(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 655, in request
raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.InternalServerError: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7004583f-3556-4b38-877a-b7669b3df3f8)
Keystone logs:
2017-06-07 11:07:13.262 DEBUG keystone.middleware.auth [req-78ad2fdd-6a2d-4489-96c0
-98c7373b3eb2 None None] Authenticating user token from (pid=9498) process_request
/usr/local/lib/python2.7/dist-packages/keystonemiddleware/auth_token/__init__.py:40
1
2017-06-07 11:07:13.270 DEBUG keystone.middleware.auth [req-44f7294f-8430-48d3-b9a6
-4f531544c893 None None] RBAC: auth_context: {'is_delegated_auth': False, 'access_t
oken_id': None, 'user_id': u'3ad182b5723d4e88b97ea7a52bf50cea', 'roles': [u'admin']
, 'user_domain_id': u'default', 'consumer_id': None, 'trustee_id': None, 'is_domain
': False, 'is_admin_project': True, 'trustor_id': None, 'token': <KeystoneToken (au
dit_id=lYYEPEZaT_m5X-15TEepPQ, audit_chain_id=lYYEPEZaT_m5X-15TEepPQ) at 0x7f9872b4
f3c8>, 'project_id': u'c76af8728a56496fb67c6ace6e78657d', 'trust_id': None, 'projec
t_domain_id': u'default'} from (pid=9498) fill_context /opt/stack/keystone/keystone
/middleware/auth.py:239
2017-06-07 11:07:13.271 INFO keystone.common.wsgi [req-44f7294f-8430-48d3-b9a6-4f53
1544c893 None None] GET http://10.232.48.201/identity/v3/auth/tokens/OS-PKI/revoked
2017-06-07 11:07:13.271 DEBUG keystone.common.authorization [req-44f7294f-8430-48d3
-b9a6-4f531544c893 None None] RBAC: Authorizing identity:revocation_list() from (pi
d=9498) _build_policy_check_credentials /opt/stack/keystone/keystone/common/authori
zation.py:136
2017-06-07 11:07:13.272 DEBUG keystone.policy.backends.rules [req-44f7294f-8430-48d
3-b9a6-4f531544c893 None None] enforce identity:revocation_list: {'is_delegated_aut
h': False, 'access_token_id': None, 'user_id': u'3ad182b5723d4e88b97ea7a52bf50cea',
'roles': [u'admin'], 'user_domain_id': u'default', 'consumer_id': None, 'trustee_i
d': None, 'is_domain': False, 'is_admin_project': True, 'trustor_id': None, 'token'
: <KeystoneToken (audit_id=lYYEPEZaT_m5X-15TEepPQ, audit_chain_id=lYYEPEZaT_m5X-15TEepPQ) at 0x7f9872b4f3c8>, 'project_id': u'c76af8728a56496fb67c6ace6e78657d', 'trust_id': None, 'project_domain_id': u'default'} from (pid=9498) enforce /opt/stack/keystone/keystone/policy/backends/rules.py:33
2017-06-07 11:07:13.274 DEBUG keystone.common.authorization [req-44f7294f-8430-48d3-b9a6-4f531544c893 None None] RBAC: Authorization granted from (pid=9498) check_policy /opt/stack/keystone/keystone/common/authorization.py:240
Wed Jun 7 09:49:23 2017 - SIGPIPE: writing to a closed pipe/socket/fd (probably th
e client disconnected) on request /identity/v3/auth/tokens/OS-PKI/revoked (ip 10.23
2.48.201) !!!
2017-06-07 09:49:23.972 ERROR keystoneclient.common.cms [req-7004583f-3556-4b38-877
a-b7669b3df3f8 None None] Signing error: Unable to load certificate - ensure you ha
ve configured PKI with "keystone-manage pki_setup"
2017-06-07 09:49:23.972 ERROR keystone.common.wsgi [req-7004583f-3556-4b38-877a-b76
69b3df3f8 None None] Command 'openssl' returned non-zero exit status 3: CalledProce
ssError: Command 'openssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi Traceback (most recent call last
):
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/common/wsgi.py", line 228, in __call__
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi result = method(req, **param
s)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/common/controller.py", line 94, in inner
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi return f(self, request, *arg
s, **kwargs)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/opt/stack/keystone/keys
tone/auth/controllers.py", line 350, in revocation_list
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi CONF.signing.keyfile)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7
/dist-packages/keystoneclient/common/cms.py", line 336, in cms_sign_text
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi signing_key_file_name, messa
ge_digest=message_digest)
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7
/dist-packages/keystoneclient/common/cms.py", line 384, in cms_sign_data
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi raise subprocess.CalledProce
ssError(retcode, 'openssl')
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi CalledProcessError: Command 'ope
nssl' returned non-zero exit status 3
2017-06-07 09:49:23.972 TRACE keystone.common.wsgi
[pid: 9498|app: 0|req: 13930/27834] 10.232.48.201 () {58 vars in 1084 bytes} [Wed J
un 7 09:49:23 2017] GET /identity/v3/auth/tokens/OS-PKI/revoked => generated 143 b
ytes in 67 msecs (HTTP/1.1 500) 5 headers in 196 bytes (1 switches on core 0)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1696308/+subscriptions
Follow ups
