yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2072945] [NEW] Token authentication fails with 500 error

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Taekyun Kim <2072945@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Jul 2024 09:52:19 -0000
Reply-to: Bug 2072945 <2072945@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Token authentication fails when using a token issued via application
credential.

Below code demonstrate the failure.
(I used keystoneauth1 but plain HTTP requests with curl will also fail.)

=== Beginning of code ===

from keystoneauth1 import identity
from keystoneauth1 import session

app_cred = identity.V3ApplicationCredential(
    auth_url='http://10.11.22.100/identity',
    application_credential_id='<app-cred-id>',
    application_credential_secret='<app-cred-secret>',
)

session_app_cred = session.Session(auth=app_cred)
ref = app_cred.get_auth_ref(session=session_app_cred)

token = identity.Token(
    auth_url='http://10.11.22.100/identity',
    token=ref.auth_token,
    project_name='demo',
    project_domain_name='default',
)

session_token = session.Session(auth=token)
res = token.get_auth_ref(session=session_token)
print(res.auth_token)

=== End of code ===

The error was caused by below code line.
https://opendev.org/openstack/keystone/src/commit/0bc2af48d5eabb59627f0b733a9fec42ff3759aa/keystone/api/_shared/authentication.py#L212

If it is the case that the token should not be authenticated, correct error response should be produced.
Otherwise, the authentication should be successful.

I made a simple fix to this problem and applied to my deployment.
Please check the problem and feel free to ask me for any futher details.

Thanks.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2072945

Title:
  Token authentication fails with 500 error

Status in OpenStack Identity (keystone):
  New

Bug description:
  Token authentication fails when using a token issued via application
  credential.

  Below code demonstrate the failure.
  (I used keystoneauth1 but plain HTTP requests with curl will also fail.)

  === Beginning of code ===

  from keystoneauth1 import identity
  from keystoneauth1 import session

  app_cred = identity.V3ApplicationCredential(
      auth_url='http://10.11.22.100/identity',
      application_credential_id='<app-cred-id>',
      application_credential_secret='<app-cred-secret>',
  )

  session_app_cred = session.Session(auth=app_cred)
  ref = app_cred.get_auth_ref(session=session_app_cred)

  token = identity.Token(
      auth_url='http://10.11.22.100/identity',
      token=ref.auth_token,
      project_name='demo',
      project_domain_name='default',
  )

  session_token = session.Session(auth=token)
  res = token.get_auth_ref(session=session_token)
  print(res.auth_token)

  === End of code ===

  The error was caused by below code line.
  https://opendev.org/openstack/keystone/src/commit/0bc2af48d5eabb59627f0b733a9fec42ff3759aa/keystone/api/_shared/authentication.py#L212

  If it is the case that the token should not be authenticated, correct error response should be produced.
  Otherwise, the authentication should be successful.

  I made a simple fix to this problem and applied to my deployment.
  Please check the problem and feel free to ask me for any futher details.

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2072945/+subscriptions