Bug #22223
openSwift API - Keystone Token Expiry - 403 instead of 401.
0%
Description
The Kraken implementation of the Swift API for RGW sends a 403 (Forbidden) response rather than a 401 (Unauthorized) response when a token expires.
This is unexpected behaviour and causes third party clients to fail (rclone / s3ql) and I am able to replicate this repeatedly with both clients.
In our implementation we are also using Keystone integration, which could also be related as a user without the correct role would technically also be 'forbidden'.
OpenStack Docs state:
"Authentication tokens expire after a time period that the authentication service defines. When a token expires, use of the token causes requests to fail with a 401 Unauthorized response. To continue, you must obtain a new token."
Link: https://docs.openstack.org/swift/latest/api/authentication.html
I'm not sure if this is fixed in Luminous, but if so it would be great to get it backported to Kraken.
RGW Logs
--------
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.321165 7f254a6a5700 20 process_request() returned 1900>ERRORHANDLER: err_no=-13 new_err_no=-13
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.321212 7f254a6a5700 1 civetweb: 0x55e6ae6c5000: 127.0.0.1 - - [22/Nov/2017:12:29:27 +0000] "PUT /swift/v1/UUID/data/data HTTP/1.1" 1 0 - -
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.357790 7f2544699700 20 received response status=404, body={"error": {"message": "Failed to validate token", "code":
404, "title": "Not Found"}}
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.357933 7f2544699700 5 auth engine throwed err=-13
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.357992 7f2544699700 10 failed to authorize request
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.358007 7f2544699700 20 handler
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.358507 7f2544699700 2 req 135332:0.258719:swift:PUT /swift/v1/PUT /swift/v1/UUID/data/data
a_9311:put_obj:op status=0
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.358518 7f2544699700 2 req 135332:0.258753:swift:PUT /swift/v1/PUT /swift/v1/UUID/data/data
a_9311:put_obj:http status=403
Nov 22 12:29:27 rgw1 radosgw: 2017-11-22 12:29:27.358545 7f2544699700 1 ====== req done req=0x7f25446933f0 op status=0 http_status=403 ======
Updated by Nathan Cutler over 6 years ago
Hi @Ross: Sorry to be the "bringer of bad news" here. . . . Kraken has been declared End Of Life (EOL) so do not expect anymore releases in the Kraken series. Please consider upgrading to Luminous, which is a Long Term Stable (LTS) release.
Updated by Ross Martyn over 6 years ago
Hi @Nathan Weinberg,
Thanks, do you have any idea if this is fixed in Luminous?
Updated by Nathan Cutler over 6 years ago
- Subject changed from RGW Swift API - Kraken - Keystone Token Expiry - 403 instead of 401. to Swift API - Keystone Token Expiry - 403 instead of 401.
@Ross - no idea, but I edited the subject line to reflect that the bug might be present in master/luminous.