← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1769864] [NEW] cannot use newly issued token immediately after admin password change

 

Public bug reported:

The following issue was observed while running an automated job which
changed the password of the admin account (Pike release was used). If an
admin token is issued immediately after the admin password is changed,
using the token to authenticate to Keystone is met with an Unauthorized
error:

{"error": {"message": "The request you have made requires
authentication.", "code": 401, "title": "Unauthorized"}}

Steps to reproduce this:

1. generate a token with the current admin password:

  curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' -H "Content-type: application/json" \
    http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens

2. change the admin password using the token generated at step 1:

  curl -X PUT -d '{"user":{"id": "<admin-user-uuid>", "password": "newpassword"}}' \
    -H "X-Auth-Token:<token-id>" \
    -H "Content-type: application/json" \
    http://cluster-data.vn1.cloud.suse.de:35357/v2.0/users/<admin-user-uuid>/OS-KSADM/password

3. generate a token with the new admin password:

  curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "newpassword"}}}' \
    -H "Content-type: application/json" \
    http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens

4. run a simple check using the token generated at 3.:

  curl -H "X-Auth-Token:<new-token-id>" \
    http://cluster-data.vn1.cloud.suse.de:35357/v2.0/OS-KSADM/services


To reproduce this issue, step 4 needs to be executed immediately after 3. Inserting a 1-2 second delay between 3 and 4 makes the problem go away.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1769864

Title:
  cannot use newly issued token immediately after admin password change

Status in OpenStack Identity (keystone):
  New

Bug description:
  The following issue was observed while running an automated job which
  changed the password of the admin account (Pike release was used). If
  an admin token is issued immediately after the admin password is
  changed, using the token to authenticate to Keystone is met with an
  Unauthorized error:

  {"error": {"message": "The request you have made requires
  authentication.", "code": 401, "title": "Unauthorized"}}

  Steps to reproduce this:

  1. generate a token with the current admin password:

    curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' -H "Content-type: application/json" \
      http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens

  2. change the admin password using the token generated at step 1:

    curl -X PUT -d '{"user":{"id": "<admin-user-uuid>", "password": "newpassword"}}' \
      -H "X-Auth-Token:<token-id>" \
      -H "Content-type: application/json" \
      http://cluster-data.vn1.cloud.suse.de:35357/v2.0/users/<admin-user-uuid>/OS-KSADM/password

  3. generate a token with the new admin password:

    curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "newpassword"}}}' \
      -H "Content-type: application/json" \
      http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens

  4. run a simple check using the token generated at 3.:

    curl -H "X-Auth-Token:<new-token-id>" \
      http://cluster-data.vn1.cloud.suse.de:35357/v2.0/OS-KSADM/services

  
  To reproduce this issue, step 4 needs to be executed immediately after 3. Inserting a 1-2 second delay between 3 and 4 makes the problem go away.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1769864/+subscriptions


Follow ups