Bug 866451

Summary: Space in token string leads to exceptions in logs.
Product: Red Hat OpenStack Reporter: Jaroslav Henner <jhenner>
Component: openstack-keystoneAssignee: Alan Pevec <apevec>
Status: CLOSED ERRATA QA Contact: Jaroslav Henner <jhenner>
Severity: low Docs Contact:
Priority: medium    
Version: 1.0 (Essex)CC: ayoung
Target Milestone: snapshot4Keywords: Triaged
Target Release: 2.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-keystone-2012.2.3-4.el6ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-21 15:03:11 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Jaroslav Henner 2012-10-15 07:59:28 EDT
Description of problem:
Sending invalid token (containing space) leads to exceptions in api.log.

Version-Release number of selected component (if applicable):
openstack-keystone-2012.1.2-4.el6.noarch

How reproducible:


Steps to Reproduce:
1. curl http://nova-api:8774/v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action -H 'X-Auth-Token: a b' -H 'Content-Type: application/json' -d '<?xml version="1.0" encoding="UTF-8"?>\n<addFloatingIp address="10.11.12.13"/>' -X POST -v
  
Actual results:
2012-10-15 11:39:15 INFO nova.api.openstack [-] http://nova-api:8774/v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action returned with HTTP 500
2012-10-15 11:39:20 INFO nova.virt.libvirt.connection [-] Compute_service record updated for node-02.lithium.rhev.lab.eng.brq.redhat.com 
2012-10-15 11:39:53 ERROR nova.api.openstack [-] Caught error: 'access'
2012-10-15 11:39:53 TRACE nova.api.openstack Traceback (most recent call last):
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/openstack/__init__.py", line 82, in __call__
2012-10-15 11:39:53 TRACE nova.api.openstack     return req.get_response(self.application)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1053, in get_response
2012-10-15 11:39:53 TRACE nova.api.openstack     application, catch_exc_info=False)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1022, in call_application
2012-10-15 11:39:53 TRACE nova.api.openstack     app_iter = application(self.environ, start_response)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 174, in __call__
2012-10-15 11:39:53 TRACE nova.api.openstack     user_headers = self._build_user_headers(token_info)
2012-10-15 11:39:53 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 396, in _build_user_headers
2012-10-15 11:39:53 TRACE nova.api.openstack     user = token_info['access']['user']
2012-10-15 11:39:53 TRACE nova.api.openstack KeyError: 'access'
2012-10-15 11:39:53 TRACE nova.api.openstack 


Expected results:
Some message about auth deny.


Additional info:
Comment 1 Jaroslav Henner 2012-10-15 08:08:21 EDT
The POST to the nova-api looks like following:

> POST /v2/d4319f044dd043ec964f235cc2993e40/servers/559ab9d4-8ace-41d8-a03f-2edd57dd972a/action HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-redhat-linux-gnu) libcurl/7.24.0 NSS/3.13.5.0 zlib/1.2.5 libidn/1.24 libssh2/1.4.1
> Host: nova-api.lithium.rhev.lab.eng.brq.redhat.com:8774
> Accept: */*
> X-Auth-Token: a b
> Content-Type: application/json
> Content-Length: 77
> 
* upload completely sent off: 77 out of 77 bytes
< HTTP/1.1 500 Internal Server Error
< Content-Length: 128
< Content-Type: application/json; charset=UTF-8
< Date: Mon, 15 Oct 2012 12:04:01 GMT
< 
* Connection #0 to host nova-api... left intact
{"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}* Closing connection #0


I also don't like it is failing with HTTP 500 and not with HTTP 401 Unauthorized.

Note there is https://bugs.launchpad.net/keystone/+bug/974319
Comment 3 Adam Young 2012-12-14 14:34:48 EST
Upstream fix for Grizzly

https://review.openstack.org/#/c/18062/
Comment 13 errata-xmlrpc 2013-03-21 15:03:11 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0672.html