Project

General

Profile

Actions
Copy link

Bug #64094

open

keystone admin token is not invalidated on http 401 response

Added by Tobias Urdin 4 months ago. Updated 3 months ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Tobias Urdin
Target version:
-
% Done:

0%

Source:
Tags:
keystone backport_processed
Backport:
quincy reef squid
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
55236
Crash signature (v1):
Crash signature (v2):

Description

when a client uses the Swift API and send us a keystone token we need to validate it, if it's not in our cache we
get a admin token that we can use to validet the client token with by doing a API call to keystone

if keystone responds with a http 401 it means our admin token is invalid but we never invalidate it so
we can end up in a state where all client requests is rejected due to an invalid admin token.

this can happen when for example changing the password on the keystone user, any token already issued would
go invalid but rgw would still try to use it since it's cached and not expired yet.

Related issues 3 (2 open1 closed)

Copied to rgw - Backport #64494: reef: keystone admin token is not invalidated on http 401 responseNewActions
Copied to rgw - Backport #64495: quincy: keystone admin token is not invalidated on http 401 responseNewActions
Copied to rgw - Backport #64496: squid: keystone admin token is not invalidated on http 401 responseResolvedCasey BodleyActions
Actions
Copy link

Also available in: Atom PDF