Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1116551 - Can't get a token with curl when keystone is running in Apache with LDAP
Can't get a token with curl when keystone is running in Apache with LDAP
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
5.0 (RHEL 7)
Unspecified Unspecified
high Severity high
: z2
: 5.0 (RHEL 7)
Assigned To: Adam Young
Udi
: ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-06 02:49 EDT by Udi
Modified: 2016-04-26 19:59 EDT (History)
6 users (show)

See Also:
Fixed In Version: openstack-keystone-2014.1.3-1.el7ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-03 03:47:39 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Rich Megginson's script for keystone-ldap-ipa.sh (5.26 KB, application/x-shellscript)
2014-07-06 02:49 EDT, Udi 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1312971 None None None Never
OpenStack gerrit 116991 None None None Never
Red Hat Product Errata RHSA-2014:1790 normal SHIPPED_LIVE Important: openstack-keystone security and bug fix update 2014-11-03 08:47:09 EST

  None (edit)
Description Udi 2014-07-06 02:49:06 EDT 
Created attachment 914917 [details]
Rich Megginson's script for keystone-ldap-ipa.sh

Description of problem:

This patch seems to be missing: https://review.openstack.org/#/c/90476/

When keystone is working with LDAP and running under Apache, I can only use the keystone client but I can't authenticate using curl. I get a 500 Internal Server Error and I see the following error in the log:

==> /var/log/httpd/error_log <==
[Thu Jul 03 17:33:46.808584 2014] [:error] [pid 13454] [remote 10.35.64.157:216] mod_wsgi (pid=13454): Exception occurred processing WSGI script '/var/www/cgi-bin/keystone/main'.
[Thu Jul 03 17:33:46.808634 2014] [:error] [pid 13454] [remote 10.35.64.157:216] TypeError: expected byte string object for header value, value of type unicode found


No other errors seen in other logs. I tried with v3 as well as v2 tokens and failed with both. When I stop httpd and start openstack-keystone I have no problems. The script I use to get a token with curl is:


Version-Release number of selected component (if applicable):
openstack-keystone-2014.1-5.el7ost.noarch
python-keystone-2014.1-5.el7ost.noarch
python-keystoneclient-0.9.0-1.el7ost.noarch


How reproducible:
100%


Steps to Reproduce:
1. Configure keystone to use LDAP using the attached script by Rich Megginson
2. See that you can get a token from /v3/auth/tokens as well as by using the client
3. Run keystone under Apache (insturctions are here: https://wiki.test.redhat.com/RhevmQe/OpenStackTeam/Keystone/WSGI2)
4. Check if you can get a token again


Actual results:
Can't get a token by calling /v3/auth/tokens, only with the client


Expected results:
You should be able to get a token by calling /v3/auth/tokens just as you can when keystone is running stand-alone.


Additional info:
This patch seems to be missing: https://review.openstack.org/#/c/90476/
Comment 1 Udi 2014-07-06 02:51:06 EDT 
To get a token with curl:

#!/bin/bash

KEYSTONE_USER=keystone
KEYSTONE_TENANT=admin
KEYSTONE_USERPASS=redhat123
KEYSTONE_DOMAIN=default
KEYSTONE_URL=http://10.35.64.157:5000/v3

cat << EOF > ~/auth1.json
{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "$KEYSTONE_DOMAIN"
                    },
                    "name": "$KEYSTONE_USER",
                    "password": "$KEYSTONE_USERPASS"
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "$KEYSTONE_DOMAIN"
                },
                "name": "$KEYSTONE_TENANT"
            }
        }
    }
}
EOF

MYTOKEN=$(curl -si -d @auth1.json -H "Content-type: application/json" ${KEYSTONE_URL}/auth/tokens?nocatalog| tee result.raw | awk '/X-Subject-Token/ {print $2}')
MYTOKEN=$(echo "$MYTOKEN" | tr -d '\r')
rm -f ~/auth1.json

# echo result.raw to stderr if MYTOKEN is blank, so the user can read the error on the console
if [ "x$MYTOKEN" == "x" ]; then
    cat result.raw >&2
    echo "" >&2
else
   echo $MYTOKEN
   echo "export TESTV3_TOKEN=${MYTOKEN}" > ~/keystone_v3testtoken
fi
Comment 3 Udi 2014-07-07 08:38:30 EDT 
I recreated this bug also without LDAP, so in general we have a problem running under Apache.
Comment 6 Nathan Kinder 2014-08-26 14:41:40 EDT 
This has been proposed for backport to stable/icehouse upstream:

  https://review.openstack.org/#/c/116991/
Comment 9 Nathan Kinder 2014-10-08 18:56:53 EDT 
This was addressed in the upstream 2014.1.3 Icehouse release.
Comment 11 Udi 2014-10-15 02:22:50 EDT 
Verified: 
openstack-keystone-2014.1.3-2.el7ost.noarch
python-keystone-2014.1.3-2.el7ost.noarch
Comment 13 errata-xmlrpc 2014-11-03 03:47:39 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1790.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.