Bug 1116551

Summary: Can't get a token with curl when keystone is running in Apache with LDAP
Product: Red Hat OpenStack Reporter: Udi Kalifon <ukalifon>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED ERRATA QA Contact: Udi Kalifon <ukalifon>
Severity: high Docs Contact:
Priority: high    
Version: 5.0 (RHEL 7)CC: aberezin, ajeain, apevec, ayoung, nkinder, yeylon
Target Milestone: z2Keywords: ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-keystone-2014.1.3-1.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-03 08:47:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Rich Megginson's script for keystone-ldap-ipa.sh none

Description Udi Kalifon 2014-07-06 06:49:06 UTC 
Created attachment 914917 [details]
Rich Megginson's script for keystone-ldap-ipa.sh

Description of problem:

This patch seems to be missing: https://review.openstack.org/#/c/90476/

When keystone is working with LDAP and running under Apache, I can only use the keystone client but I can't authenticate using curl. I get a 500 Internal Server Error and I see the following error in the log:

==> /var/log/httpd/error_log <==
[Thu Jul 03 17:33:46.808584 2014] [:error] [pid 13454] [remote 10.35.64.157:216] mod_wsgi (pid=13454): Exception occurred processing WSGI script '/var/www/cgi-bin/keystone/main'.
[Thu Jul 03 17:33:46.808634 2014] [:error] [pid 13454] [remote 10.35.64.157:216] TypeError: expected byte string object for header value, value of type unicode found


No other errors seen in other logs. I tried with v3 as well as v2 tokens and failed with both. When I stop httpd and start openstack-keystone I have no problems. The script I use to get a token with curl is:


Version-Release number of selected component (if applicable):
openstack-keystone-2014.1-5.el7ost.noarch
python-keystone-2014.1-5.el7ost.noarch
python-keystoneclient-0.9.0-1.el7ost.noarch


How reproducible:
100%


Steps to Reproduce:
1. Configure keystone to use LDAP using the attached script by Rich Megginson
2. See that you can get a token from /v3/auth/tokens as well as by using the client
3. Run keystone under Apache (insturctions are here: https://wiki.test.redhat.com/RhevmQe/OpenStackTeam/Keystone/WSGI2)
4. Check if you can get a token again


Actual results:
Can't get a token by calling /v3/auth/tokens, only with the client


Expected results:
You should be able to get a token by calling /v3/auth/tokens just as you can when keystone is running stand-alone.


Additional info:
This patch seems to be missing: https://review.openstack.org/#/c/90476/
Comment 1 Udi Kalifon 2014-07-06 06:51:06 UTC 
To get a token with curl:

#!/bin/bash

KEYSTONE_USER=keystone
KEYSTONE_TENANT=admin
KEYSTONE_USERPASS=redhat123
KEYSTONE_DOMAIN=default
KEYSTONE_URL=http://10.35.64.157:5000/v3

cat << EOF > ~/auth1.json
{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "$KEYSTONE_DOMAIN"
                    },
                    "name": "$KEYSTONE_USER",
                    "password": "$KEYSTONE_USERPASS"
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "$KEYSTONE_DOMAIN"
                },
                "name": "$KEYSTONE_TENANT"
            }
        }
    }
}
EOF

MYTOKEN=$(curl -si -d @auth1.json -H "Content-type: application/json" ${KEYSTONE_URL}/auth/tokens?nocatalog| tee result.raw | awk '/X-Subject-Token/ {print $2}')
MYTOKEN=$(echo "$MYTOKEN" | tr -d '\r')
rm -f ~/auth1.json

# echo result.raw to stderr if MYTOKEN is blank, so the user can read the error on the console
if [ "x$MYTOKEN" == "x" ]; then
    cat result.raw >&2
    echo "" >&2
else
   echo $MYTOKEN
   echo "export TESTV3_TOKEN=${MYTOKEN}" > ~/keystone_v3testtoken
fi
Comment 3 Udi Kalifon 2014-07-07 12:38:30 UTC 
I recreated this bug also without LDAP, so in general we have a problem running under Apache.
Comment 6 Nathan Kinder 2014-08-26 18:41:40 UTC 
This has been proposed for backport to stable/icehouse upstream:

  https://review.openstack.org/#/c/116991/
Comment 9 Nathan Kinder 2014-10-08 22:56:53 UTC 
This was addressed in the upstream 2014.1.3 Icehouse release.
Comment 11 Udi Kalifon 2014-10-15 06:22:50 UTC 
Verified: 
openstack-keystone-2014.1.3-2.el7ost.noarch
python-keystone-2014.1.3-2.el7ost.noarch
Comment 13 errata-xmlrpc 2014-11-03 08:47:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1790.html