Actions
Bug #64094
openkeystone admin token is not invalidated on http 401 response
% Done:
0%
Source:
Tags:
keystone backport_processed
Backport:
quincy reef squid
Regression:
No
Severity:
3 - minor
Reviewed:
Description
when a client uses the Swift API and send us a keystone token we need to validate it, if it's not in our cache we
get a admin token that we can use to validet the client token with by doing a API call to keystone
if keystone responds with a http 401 it means our admin token is invalid but we never invalidate it so
we can end up in a state where all client requests is rejected due to an invalid admin token.
this can happen when for example changing the password on the keystone user, any token already issued would
go invalid but rgw would still try to use it since it's cached and not expired yet.
Updated by Tobias Urdin 3 months ago
simple keystone reproduce
#!/bin/bash # issue admin token that radosgw would use and save it echo "issue admin token" source ~/radosgwrc admin_token=$(openstack token issue -c id -f value) # then issue a token for a client echo "issue customer token" source ~/customerrc customer_token=$(openstack token issue -c id -f value) # now emulate what radosgw would call to keystone to validate a customer token with it own admin token for auth echo "test that it works" curl -H "X-Auth-Token: $admin_token" -H "X-Subject-Token: $customer_token" http://localhost:5000/v3/auth/tokens echo # now lets force a password change on the radosgw user and see if the admin token gets invalidated # the password "secret" that we change to here here is the same as the current password echo "change password for radosgw user" source ~/openrc openstack user set --password secret radosgw # now test again and admin token is invalid and we get status code 401 echo "test and it will fail with 401" curl -H "X-Auth-Token: $admin_token" -H "X-Subject-Token: $customer_token" http://localhost:5000/v3/auth/tokens echo
Updated by Tobias Urdin 3 months ago
proposed pull request https://github.com/ceph/ceph/pull/55236
Updated by Casey Bodley 3 months ago
- Status changed from New to Fix Under Review
- Tags set to keystone
- Backport set to quincy reef
- Pull request ID set to 55236
Updated by Casey Bodley 2 months ago
- Status changed from Fix Under Review to Pending Backport
- Assignee set to Tobias Urdin
- Backport changed from quincy reef to quincy reef squid
Updated by Backport Bot 2 months ago
- Copied to Backport #64494: reef: keystone admin token is not invalidated on http 401 response added
Updated by Backport Bot 2 months ago
- Copied to Backport #64495: quincy: keystone admin token is not invalidated on http 401 response added
Updated by Backport Bot 2 months ago
- Copied to Backport #64496: squid: keystone admin token is not invalidated on http 401 response added
Updated by Backport Bot 2 months ago
- Tags changed from keystone to keystone backport_processed
Actions