Bug 949307

Summary: rhc can't authenticate with a password once a token expires
Product: OKD Reporter: Thomas Wiest <twiest>
Component: ocAssignee: Clayton Coleman <ccoleman>
Status: CLOSED WORKSFORME QA Contact: libra bugs <libra-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.xCC: jinzhang, zzhao
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-09 13:54:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Wiest 2013-04-07 16:18:56 UTC 
Description of problem:
Once a token expires, rhc can no longer authenticate, even when you pass in a password. This causes all auth related operations failed (including trying to delete auth tokens).

Here is what I got when I tried to list the domain with an expired auth token:
$ rhc domain show -p $pass -k
Your authorization token has expired. Please sign in now to continue.
Username or password is not correct
Not authenticated

NOTE: I'm passing in the correct password here. The expired token if causing all rhc auth sessions to fail. If I'm passing in the correct password, this should always succeed.


Here's is what I got when I tried to remove all auth tokens:
$ rhc authorization delete-all -k -p $pass
Deleting all authorizations ... Your authorization token has expired. Please sign in now to continue.
Username or password is not correct
Not authenticated

NOTE: the username and password _are_ correct.


To manually fix this problem, I had to remove the token using this command:
$ rm ~/.openshift/token_L4hORHcHOZWgmE7J4emuvg

Once I did this, rhc started working properly again.


Version-Release number of selected component (if applicable):
rhc-1.6.8-1.el6oso.noarch


How reproducible:
unsure, but probably pretty reproducible.


Steps to Reproduce:
NOTE: This was seen with our monitoring checks, so these steps are what I think will repro it.
1. Create a token for rhc to use (verify that it's there in the ~/.openshift directory)
2. Wait for the token to expire
3. Run: rhc domain show -k -p $pass
4. Notice that even though you're passing in the correct password, the call fails.
5. Run: rhc authorization delete-all -k -p $pass
6. Notice again that even though you're passing in the correct password, the call fails.
  

Actual results:
Couldn't remove a token once it was expired. With the expired token in place, all rhc commands that required authorization failed (for instance, "rhc domain show" failed).


Expected results:
If I'm passing in a password, it should never fail, even if a token has expired.
Comment 1 joycezhang 2013-04-08 05:37:00 UTC 
QE can't reproduce this bug with rhc-1.6.8-1.el6oso.noarch. Please refer to the steps as below:

Steps:
1. Create a token with short period expiration
# rhc authorization add --scopes session --note new_session --expires-in 60
Adding authorization ... done

new_session
-----------
  Token:      decbbd3292354cf0068820964bdb994b4c5118e3208cc4ef14a954cb9e1d588a
  Scopes:     session
  Created:    1:32 PM
  Expires In: 1 minute

2. Wait for the token to expire
3. Run: rhc domain show or rhc authorization


Actual results:
It will generate a new token automatically after you input correct password as below
# rhc domain show
Your authorization token has expired. Please sign in now to continue.
Password: ******
Applications in stgtest1 domain
-------------------------------

  php11 @ http://php11-stgtest1.stg.rhcloud.com/ (uuid: 51614b242587c8247f00012d)
  -------------------------------------------------------------------------------
    Created: Apr 07  6:32 PM
    Gears:   1 (defaults to small)
    Git URL: ssh://51614b242587c8247f00012d.rhcloud.com/~/git/php11.git/
    SSH:     51614b242587c8247f00012d.rhcloud.com

    php-5.3 (PHP 5.3)
    -----------------
      Gears: 1 small


# rhc authorization
RHC/1.6.8 (from dhcp-11-50.nay.redhat.com on x86_64-linux)
----------------------------------------------------------
  Token:      fcde849437fb591febe36d571da4bfaa996ce376b010c3c3228a0f7c0bd5593c
  Scopes:     session
  Created:    1:33 PM
  Expires In: about 24 hours


Could you please help provide more information for this bug? Thanks.
Comment 2 Thomas Wiest 2013-04-08 13:38:42 UTC 
Hmm, interesting. Not that it should matter, but try passing in the password using the -p command line option. That's what I was doing.

The only other thing I can think of that's different is that this token was created by the 'rhc setup' command.

Here was the rhc setup command that we ran:
rhc setup -l $user -p $pass
Comment 3 zhaozhanqi 2013-04-09 06:57:50 UTC 
QE test again with rhc-1.6.8-1.el6oso.noarch, but it still cannot reproduce the bug.

if the token have been expired or be deleted, run any commands use the option '-p ' like 'rhc domain show -p $password', it can execute successfully.
 
this is my step:
 
 1) first create token by 'rhc setup' 

  [zqzhao@dhcp-13-222 .openshift]$ rhc authorization
RHC/1.6.8 (from dhcp-13-222.nay.redhat.com on x86_64-linux)
-----------------------------------------------------------
  Token:      3300862bc69ee72fab0bae8d03c28656aad8f3aa6d48cba508d8aa10b95a8e16
  Scopes:     session
  Created:    2:51 AM
  Expires In: less than 1 minute

 
 2)after 1 minute, run 'rhc domain show -p redhat -k'
  
  [zqzhao@dhcp-13-222 .openshift]$ rhc domain show -p redhat -k
Your authorization token has expired. Please sign in now to continue.
 The domain zqd exists but has no applications. You can use 'rhc app create' to   create a new application.
Comment 4 Thomas Wiest 2013-04-09 13:54:58 UTC 
Ok, thanks for trying to repro this. I'm not sure how I got the rhc into this state.

I'm closing this bug for now and will re-open if I run across this problem again (hopefully with better repro instructions).