yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1959674] [NEW] Keystone produce error after trying to read application_credential even if not set

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Marcus Murwall <1959674@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Feb 2022 13:50:50 -0000
Reply-to: Bug 1959674 <1959674@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

If you are authed using application credentials and try to add a
loadbalancer listener with TERMINATED_HTTPS, keystone produce an error
causing a 500 internal error.

After digging through the code I found that it's caused by keystone adding application_credential as allowed method and then trying to read application_credential from auth payload, even when it is not set.
Octavia doesn't try to use application credentials in the payload, it tries to auth with method: ["token"]. It is keystone that adds application_credential as a method.

Octavia auth payload is created here:
https://opendev.org/openstack/octavia/src/branch/master/octavia/certificates/common/auth/barbican_acl.py#L87

The payload sent to keystone looks like this:
{
    "data": {
        "auth": {
            "identity": {
                "methods": ["token"],
                "token": {
                    "id": "<token id>"
                }
            },
            "scope": {
                "project": {
                    "id": "<project id>"
                }
            }
        }
    }
}


Keystone adds application_secret to allowed_methods here:
https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L206

Keystone then tries to read the id of the application credential, which
will fail as it is not included in the auth payload:
https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L210-L212

This cause a keystone error and you get a 500 internal error sent back
to octavia.


Steps to reproduce:

1. Create an application credential with openstack application credential create.
2. Auth using the application credential
3. Try to add a terminated_https loadbalancer with openstack loadbalancer listener create


If you want to isolate the keystone auth failure without going through octavia you can do so with:
curl -H "Content-Type: application/json" https://<keystone url>/v3/auth/tokens -d '{"auth": {"identity": {"methods": ["token"], "token": {"id": "<token id>"}}, "scope": {"project": {"id": "<project id>"}}}}'

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1959674

Title:
  Keystone produce error after trying to read application_credential
  even if not set

Status in OpenStack Identity (keystone):
  New

Bug description:
  If you are authed using application credentials and try to add a
  loadbalancer listener with TERMINATED_HTTPS, keystone produce an error
  causing a 500 internal error.

  After digging through the code I found that it's caused by keystone adding application_credential as allowed method and then trying to read application_credential from auth payload, even when it is not set.
  Octavia doesn't try to use application credentials in the payload, it tries to auth with method: ["token"]. It is keystone that adds application_credential as a method.

  Octavia auth payload is created here:
  https://opendev.org/openstack/octavia/src/branch/master/octavia/certificates/common/auth/barbican_acl.py#L87

  The payload sent to keystone looks like this:
  {
      "data": {
          "auth": {
              "identity": {
                  "methods": ["token"],
                  "token": {
                      "id": "<token id>"
                  }
              },
              "scope": {
                  "project": {
                      "id": "<project id>"
                  }
              }
          }
      }
  }

  
  Keystone adds application_secret to allowed_methods here:
  https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L206

  Keystone then tries to read the id of the application credential,
  which will fail as it is not included in the auth payload:
  https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L210-L212

  This cause a keystone error and you get a 500 internal error sent back
  to octavia.

  
  Steps to reproduce:

  1. Create an application credential with openstack application credential create.
  2. Auth using the application credential
  3. Try to add a terminated_https loadbalancer with openstack loadbalancer listener create

  
  If you want to isolate the keystone auth failure without going through octavia you can do so with:
  curl -H "Content-Type: application/json" https://<keystone url>/v3/auth/tokens -d '{"auth": {"identity": {"methods": ["token"], "token": {"id": "<token id>"}}, "scope": {"project": {"id": "<project id>"}}}}'

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1959674/+subscriptions