← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #65853

[Bug 1687593] Re: Create OAUTH request token gives 401 error when request url is admin endpoint

  Thread PreviousDate PreviousThread Next 
The functional tests that we added to verify this fix are being run
against the stable branches, causing them to break because neither
stable/ocata or stable/newton have the fix posted here. This was found
and reported in https://bugs.launchpad.net/keystone/+bug/1704148.

** Also affects: keystone/ocata
   Importance: Undecided
       Status: New

** Also affects: keystone/newton
   Importance: Undecided
       Status: New

** Changed in: keystone/newton
       Status: New => In Progress

** Changed in: keystone/ocata
       Status: New => In Progress

** Changed in: keystone/newton
   Importance: Undecided => High

** Changed in: keystone/ocata
   Importance: Undecided => High

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystone/newton
     Assignee: (unassigned) => Lance Bragstad (lbragstad)

** Changed in: keystone/ocata
     Assignee: (unassigned) => Lance Bragstad (lbragstad)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1687593

Title:
  Create OAUTH request token gives 401 error when request url is admin
  endpoint

Status in OpenStack Identity (keystone):
  Fix Committed
Status in OpenStack Identity (keystone) newton series:
  In Progress
Status in OpenStack Identity (keystone) ocata series:
  In Progress
Status in python-keystoneclient:
  In Progress

Bug description:
  Create request token API returns 401 error when the request URL is
  admin endpoint.

  Error scenario:
  URL used to generate OAUTH signature and for POST request is Keystone admin endpoint
  http://<keystone ip:port>/identity_admin/v3/OS-OAUTH1/request_token

  Working scenario:
  When the URL used to generate OAUTH signature is public endpoint, then the response is 201. 
  http://<keystone ip:port>/identity/v3/OS-OAUTH1/request_token

  Endpoints in devstack for identity:
  ocata@ocata-VirtualBox:~/devstack$ openstack endpoint list | grep identity
  | 549f73e17b0e471e95176bb508561bb3 | RegionOne | keystone     | identity          | True    | internal  | http://192.168.56.101/identity                    |
  | 739cda51666f4ab197241beac5c5c14c | RegionOne | keystone     | identity          | True    | admin     | http://192.168.56.101/identity_admin              |
  | a0eb39c0ecff46c3b61bc6184c42bc13 | RegionOne | keystone     | identity          | True    | public    | http://192.168.56.101/identity

  
  Steps to reproduce the problem:

  Run the python script in the below link (by changing the necessary credentials and IP address)
  https://pastebin.com/AqL9674n

  If #L38 is modified to public endpoint (http://<keystone
  ip:port>/identity/v3/OS-OAUTH1/request_token), the status code is 201.

  Seems like Keystone code verifies the OAUTH signature using Public
  endpoint irrespective of the request URL.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1687593/+subscriptions

References

  Thread PreviousDate PreviousThread Next