| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This can create a race condition for long running services that reuse
their token (eg. Kubernetes Cinder CSI plugin) in this case for
example:
1 [user] Asks nova to attach a volume to a server
2 ...the user's token expires
3 [user] Asks cinder if the volume has been attached
4 [nova] Asks cinder to attach the volume
In step 3 the token is marked as invalid in the cache and step 4 fails
even if allow_expired is true
Closes-Bug: #1987355
Change-Id: Ice8e34440a5fe1baa370646ed70b5e085c4af70e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In past days there were discussions about various issues
with memcached connections [1][2][3].
After investigation it looks like common root cause for above
problems is keystonemiddleware. More precisely said the way
how keystonemiddleware is caching tokens.
Currently it's using some home-made CachePool with direct
usage of memcached library, moreover it looks like its
approach is not eventlet-safe.
Discussion can be mainly found in [4].
Fortunately keystonemiddleware can use "advanced cache pool",
which is oslo.cache's implementation and was added long time ago [5],
but it is turned on only if memcache_use_advanced_pool=True.
This patch is switching to more elaborated oslo.cache CachePool
and adding deprecation warning about eventlet-unsafe variant
of keystonemiddleware's memcache pool.
How to reproduce ?
with memcache_use_advanced_pool=False
1. Build clean ENV of openstack
2. Deploy core projects (keystone,glance,nova,placement...)
3. Run while true; do COMMAND FOR SERVICE; done
- several bashes, in parallel (5-7)
COMMAND FOR SERVICE:
- openstack network list
- openstack volume list
- openstack server list
- openstack image list
4. Check memcached connections (which will grow up):
- ss | grep 11211 | wc -l every second
How to fix and test it ?
Repeat above, to fix:
- with memcache_use_advanced_pool=True
OR
- apply this patch
Compare measurements in graph.
[1] https://bugs.launchpad.net/keystonemiddleware/+bug/1892852
[2] https://bugs.launchpad.net/oslo.cache/+bug/1888394
[3] https://bugs.launchpad.net/keystonemiddleware/+bug/1883659
[4] https://review.opendev.org/c/openstack/oslo.cache/+/742193
[5] https://review.opendev.org/c/openstack/keystonemiddleware/+/268664
Closes-Bug: #1883659
Closes-Bug: #1892852
Closes-Bug: #1888394
Change-Id: I0e96334b65a0bf369ebf1d88651d13feb8d2ecac
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In [0] the ``interface``option was added in order to allow the Identity
endpoint that is being used when validating tokens to be
configured by the deployer. Change the default to using the internal
endpoint, as that should be what most deployments will end up using.
[0] https://review.opendev.org/651790
Depends-On: https://review.opendev.org/651492
Closes-Bug: 1830002
Change-Id: I0ce8b6d8cd408c7fac8107972e7be70839e337fb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Blacklist:
W504 line break after binary operator
W503 line break before binary operator
Fix other problems found
Change-Id: I2fb257a4f42b499df3702f3e8f3c99ecb28557d6
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Some regex strings contain invalid escape sequences for normal strings,
causing newer version of Python to emit DeprecationWarning messages.
This updates those instances to raw strings so they are not interpreted
as invalid.
Change-Id: I28ac26516bacab36578a5a7f6ec7f9dcf7d7eeb1
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change renames the _v3_to_v2_catalog to _normalize_catalog as
part of the v2 removal effort. Several services still rely on the
converted catalog format, so this change maintains the conversion
but removes the v2 association.
Change-Id: Ic7bca16d8c6211d006fc2ba09dc2ecd83f8955db
Partial-Bug: #1845539
Partial-Bug: #1777177
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change removes v2.0 functionality from
keystonemiddleware, as well as associated tests.
Partial-Bug: #1845539
Partial-Bug: #1777177
Change-Id: If47e90085d8a59c52fb23876dc329cd4f0b05ef0
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commit adds a validation step in the auth_token middleware to check
for the presence of an access_rules attribute in an application
credential token and to validate the request against the permissions
granted for that token. During token validation it sends a header to
keystone to indicate that it is capable of validating these access
rules, and not providing this header for a token like this would result
in the token failing validation. This disregards access rules for a
service request made by a service on behalf of a user, such as nova
making a request to glance, because such a request is not under the
control of the user and is not expected to be explicitly allowed in the
access rules.
bp whitelist-extension-for-app-creds
Depends-On: https://review.opendev.org/670377
Change-Id: I185e0541d5df538d74edadf9976b3034a2470c88
|
| |\ \ \
| |/ /
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
previously it will print auth version of _requested_auth_version
which will be none all the time. Change it to klass makes more sense.
Change-Id: I1cec8f163e808f03f15ef053e5768cf711238f0d
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Keystone server no longer supports PKI/PKIZ. This change removes
keystonemiddleware's support of PKI/PKIZ and associated code.
Change-Id: I9a6639a2aa3774be61972d57f38220f66fd5c0e8
closes-bug: #1649735
partial-bug: #1736985
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
Bandit is throwing warnings because we use 'token' in a couple of
variables.
Change-Id: I9fd21974027bc2bda6036c34fa587a044faaacae
|
| |\ \ \
| |/ /
|/| /
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously the admin Identity endpoint was hardcoded to be used. Now
that keystone has dropped v2 support, deploying an admin Identity
endpoint is no longer useful, so allow this to be changed by the
deployer. Keep the default as using the `admin` endpoint, but create
a deprecation message so that we can change the default in the future.
Partial-Bug: 1830002
Change-Id: I993a45ccb1109d67e65bf32d1e134cc9bec2d88e
|
| |/
|
|
|
|
|
|
| |
Attempt to escape quotes actually forgot one of the quotes, causing
"invalid escape sequence" warnings in the logs.
Change-Id: I843257ba5c26f7ba6c5cd3b1b7c53ed26cb9ee8d
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
|
| |
|
|
|
|
| |
The service_token_roles_required should be correct.
Change-Id: I009e3a495953d61fb0c29a8b629efa3322cb0ddd
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently auth_token middleware does not concern identity endpoint
update since service catalog is not updated after service having
auth_token middleware started.
Add invalidation logic when EndpointNotfound exception occurs so
that auth_token middleware can be notified of sevice catalog update
without restart.
Change-Id: I631ee1538883d732fe3987b172d987f703dad5c0
Closes-Bug: #1813739
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With keystone's move to eliminating pki, pkiz, and uuid tokens the
revocation list is no longer generated. Keystonemiddleware no longer
needs to attempt to retrieve it and reference it.
Change-Id: Ief3bf1941e62f9136dbed11877bca81c4102041b
closes-bug: #1361743
partial-bug: #1649735
partial-bug: #1736985
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
Made a small fix to the documentation - replacing
the current auth_url port number 35357, in the
configuration section of the [keystone_authtoken],
with 5000.
This was based on an online conversation with Colleen;
with the removal of the v2 API from keystone the project
now recommends use of port 5000 instead of the previous one.
Change-Id: I750a4d0e75e0b919fd00ddf21c0e7ce62d495f95
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The delay_auth_decision option has two main uses:
1. Allow a service to provide its own auth mechanism, separate from
auth tokens (like Swift's tempurl middleware).
2. Allow a service to integrate with multiple auth middlewares which
may want to use the same X-Auth-Token header.
The first case works fine even when the service has trouble talking to
Keystone -- the client doesn't send an X-Auth-Token header, so we never
even attempt to contact Keystone.
The second case can be problematic, however. The client will provide
some token, and we don't know whether it's valid for Keystone, the other
auth system, or neither. We have to *try* contacting Keystone, but if
that was down we'd previously return a 503 without ever trying the other
auth system. As a result, a Keystone failure results in a total system
failure.
Now, when delay_auth_decision is True and we cannot determine whether a
token is valid or invalid, we'll instead declare the token invalid and
defer the rejection. As a result, Keystone failures only affect Keystone
users, and tokens issued by the other auth system may still be validated
and used.
Change-Id: Ie4b3319862ba7fbd329dc6883ce837e894d5270c
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When setup AuthProtocol class, if the CONF object contains
deprecated options, An Error "dictionary changed size during
iteration" will raise when comparing the CONF content.
Changing "!=" to "is not" here to avoid compare the CONF
content anymore.
Change-Id: I820aa244160db4f81149d2576386c86b46de0084
Closes-bug: #1789351
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
DiscoveryFailures can happen for a variety of reasons, ranging
from service misconfiguration to a keystone outage to a transient
network failure. If we don't catch and handle the failure here,
it will almost certainly cause something further up the WSGI stack
to send a 500 Internal Error (and likely log a traceback).
A log line like
Unable to validate token: Could not find versioned identity
endpoints when attempting to authenticate. Please check that
your auth_url is correct. Unable to establish connection to
http://keystone:35357: HTTPConnectionPool(host='keystone',
port=35357): Max retries exceeded with url: / (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection
object at 0x7fc53e22e050>: Failed to establish a new
connection: [Errno 111] ECONNREFUSED',))
should be plenty enough for an operator to assess the situation;
I don't need a 29-frame traceback.
Change-Id: I946388c09b2ca0230d2cef009c679a7ac7c8398f
|
| |/
|
|
|
|
|
|
|
|
| |
Keystonemiddleware's abstraction for the memcache pool was broken
when converting to use a queue.Queue. The logic that placed the
connection back into the pool was moved to .acquire and the reserve
method was not using acquire.
Change-Id: I0eda5981cbb661f63790258cf8e70c7340615159
Closes-Bug: #1782404
|
| |
|
|
|
|
|
|
|
|
| |
Keystonemiddleware attempts to parse user/service tokens and populate
request headers for other services to consume. This information is
important for services looking to build oslo.context objects from
request environments.
Change-Id: I0717c2a5207a647999b4f9bcdf11f728984f0812
Closes-Bug: 1766731
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Based on the RFCs[1], in http header, a string of text is parsed
as a single value if it is quoted using double-quote marks.
This patch change the single quote to double quote in the header
"WWW-Authenticate" which is returned when 401 error raises.
[1]: https://tools.ietf.org/html/rfc7230#section-3.2.6
https://tools.ietf.org/html/rfc7235#section-2.1
Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25
Closes-bug: #1762362
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When handling timeouts talking to the keystone server, you may see log
messages like
authtoken: Bad response code while validating token: 408
authtoken: Token validation failure.
<traceback>
AttributeError: 'NoneType' object has no attribute 'text'
Since there's no response from the server when keystoneclient raises
RequestTimeout [1], the `response` attribute is understandably None.
Now, only log the response text if there's text to log. Additionally,
log the response message (as well as status code) to provide as much
context as we can for the error.
[1] https://github.com/openstack/python-keystoneclient/blob/3.15.0/keystoneclient/session.py#L469
Change-Id: Id400e4c38d07cbe7e1866dd572a17fc54c31e82a
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| | |
kwargs_to_fetch_token was deprecated and should be
removed in Rocky now.
Change-Id: Ic247efb84c5133449ead6a9864bbd7748e5e74bd
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The memcache client class actually has no __exit__ function.
Remove the "with" usage to avoid the __exit__ error.
Change-Id: I15b3d08f4afae289e7eb0848ff1db08141196d3c
Closes-Bug: #1747565
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Now keystonemiddleware use oslo.cache to init the
MemcacheClientPool. The MemcacheClientPool in
Olso.cache needs (urls, arguments, **kwargs) parameter
to init, but keystonemiddleware passed only
(urls, **kwargs). Then it leads the error:
__init__() takes exactly 3 arguments (2 given)
This patch fixed this issue.
Please note that even this error is fixed, set
"memcache_use_advanced_pool = True" will lead another
error, see bug #1747565 for the detail. It will be
fixed in the following patch.
Closes-bug: #1748160
Change-Id: I642f959ab8b010207314312a6b6a06a6de23e92c
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the keystonemiddleware is used directly in the WSGI stack of an
application, the 503 that is raised when the keystone service errors
or cannot be reached needs to identify that keystone is the service
that has failed, otherwise it appears to the client that it is the
service they are trying to access is down, which is misleading.
This addresses the problem in the most straightforward way possible:
the exception that causes the 503 is given a message including the
word "Keystone".
The call method in BaseAuthTokenTestCase gains an
expected_body_string kwarg. If not None, the response body (as
a six.text_type) is compared with the value.
Change-Id: Idf211e7bc99139744af232f5ea3ecb4be41551ca
Closes-Bug: #1747655
Closes-Bug: #1749797
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Token expiration is normal, however the client logs fill up with these
ominous WARNING messages:
WARNING keystonemiddleware.auth_token [-] Authorization failed for token
WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Could not find token: 24ffb14540c74a7c964f9627fe2af8fb", "code": 404, "title": "Not Found"}}
It seems more useful to log normal events at a level less than WARNING,
this would reduce the log size but more importantly it will help
elminate the concerns raised when logs are filled with WARNING messages
that are otherwise benign.
Change-Id: I54ad6b5530ee81616bd4a44f8295985f5d84c2ee
Closes-Bug: #1738300
Signed-off-by: John Dennis <jdennis@redhat.com>
|
| |/
|
|
|
|
|
|
|
| |
cfg.CONF must not be used directly, Config().oslo_conf_obj must be used
instead.
Closes-bug: #1737119
Change-Id: I58ec9e25c7f04a8352535d8861e09c7e4c4c0a9d
|
| |
|
|
|
|
|
|
|
| |
In continuation of I00e953abb3e835a94353fe458100c96e8e9c095a,
this change adds the release note and documentation.
Related-bug #1737115
Change-Id: I456239842d139074cc38cfd620bb88561bb4d0d7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now, we depend on oslo.cache [1], and use the private/internal
memcache_pool code of the lib, making oslo.cache failing to import
instead of just log an error about missing requirement for selected
drivers at runtime.
This change restores the previous behavior by lazy loading the module.
[1] 9d8e2836fe7fca186e0380d8a532540ff5cc5215
Change-Id: I00e953abb3e835a94353fe458100c96e8e9c095a
Closes-bug: #1737115
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the new oslo.cache library instead of using memcached directly.
This keeps the old options around and will continue to use those in
preference to the oslo.config library as there is no way to test whether
oslo.cache was explicitly configured to use that in preference.
Currently there are no messages or anything to deprecate the old options
until we've had a chance to test it in production environments.
Closes-Bug: #1523375
Change-Id: Ifccacc5db311ad538ce60191cbe221644d1a5807
Co-Authored-By: Nicolas Helgeson <nh202b@att.com>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The [keystone_authtoken]/auth_uri middleware parameter has been causing
extreme confusion amongst operators and developers ever since the
keystonemiddleware started accepting keystoneauth plugin parameters
including auth_url. The two parameters look identical and yet have
completely different meanings and are both required. This patch
deprecates auth_uri and renames it to www_authenticate_uri, which more
accurately describes the WWW-Authenticate header it is configuring and
is dissimilar to any other keystone_authtoken middleware parameter. This
also renames the internal variable names for consistency with the config
option.
Change-Id: I0cf11da3d395749df28077427689fdafc8a6b981
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch set corrects a problem when the keystonemiddleware is
executed with memcache encryption enabled. Currently, the
hmac.new() calls throw exceptions in python3 due to how py2 and py3
handles string vs. byte/bytearray.
Co-Authored-By: Rohan Arora <ra271w@att.com>
Closes-Bug: #1713574
Change-Id: I9bb291be48a094b9f266a8459a3f51ee163d33a3
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PKI tokens have been deprecated and removed from keystone server. To get
them removed from auth_token middleware we need to deprecate it.
We issue the warning when a successful validation has occurred as all
incoming tokens get checked for if we think they are PKI and tried to
decrypt.
Change-Id: Ibc6e3378aa7c851335bcb9abbcc31572e6cef9e7
bp: deprecated-as-of-queens
|
