yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #72774
[Bug 1769864] [NEW] cannot use newly issued token immediately after admin password change
Public bug reported:
The following issue was observed while running an automated job which
changed the password of the admin account (Pike release was used). If an
admin token is issued immediately after the admin password is changed,
using the token to authenticate to Keystone is met with an Unauthorized
error:
{"error": {"message": "The request you have made requires
authentication.", "code": 401, "title": "Unauthorized"}}
Steps to reproduce this:
1. generate a token with the current admin password:
curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' -H "Content-type: application/json" \
http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens
2. change the admin password using the token generated at step 1:
curl -X PUT -d '{"user":{"id": "<admin-user-uuid>", "password": "newpassword"}}' \
-H "X-Auth-Token:<token-id>" \
-H "Content-type: application/json" \
http://cluster-data.vn1.cloud.suse.de:35357/v2.0/users/<admin-user-uuid>/OS-KSADM/password
3. generate a token with the new admin password:
curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "newpassword"}}}' \
-H "Content-type: application/json" \
http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens
4. run a simple check using the token generated at 3.:
curl -H "X-Auth-Token:<new-token-id>" \
http://cluster-data.vn1.cloud.suse.de:35357/v2.0/OS-KSADM/services
To reproduce this issue, step 4 needs to be executed immediately after 3. Inserting a 1-2 second delay between 3 and 4 makes the problem go away.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1769864
Title:
cannot use newly issued token immediately after admin password change
Status in OpenStack Identity (keystone):
New
Bug description:
The following issue was observed while running an automated job which
changed the password of the admin account (Pike release was used). If
an admin token is issued immediately after the admin password is
changed, using the token to authenticate to Keystone is met with an
Unauthorized error:
{"error": {"message": "The request you have made requires
authentication.", "code": 401, "title": "Unauthorized"}}
Steps to reproduce this:
1. generate a token with the current admin password:
curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' -H "Content-type: application/json" \
http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens
2. change the admin password using the token generated at step 1:
curl -X PUT -d '{"user":{"id": "<admin-user-uuid>", "password": "newpassword"}}' \
-H "X-Auth-Token:<token-id>" \
-H "Content-type: application/json" \
http://cluster-data.vn1.cloud.suse.de:35357/v2.0/users/<admin-user-uuid>/OS-KSADM/password
3. generate a token with the new admin password:
curl -d '{"auth":{"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "newpassword"}}}' \
-H "Content-type: application/json" \
http://cluster-data.vn1.cloud.suse.de:35357/v2.0/tokens
4. run a simple check using the token generated at 3.:
curl -H "X-Auth-Token:<new-token-id>" \
http://cluster-data.vn1.cloud.suse.de:35357/v2.0/OS-KSADM/services
To reproduce this issue, step 4 needs to be executed immediately after 3. Inserting a 1-2 second delay between 3 and 4 makes the problem go away.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1769864/+subscriptions
Follow ups
